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Preface 


ASIACRYPT 2002 was held in Queenstown, New Zealand, December 1-5, 2002. 
The conference was organized by the International Association for Cryptologic 
Research (IACR). 

The program committee received 173 submissions from around the world, 
from which 34 were selected for presentation. Each submission was reviewed by 
at least three experts in the relevant research area. 

Let me first thank all the authors, including those whose submissions were 
not successful, for taking the time to prepare the submissions. Their dedication 
and efforts in advancing research in cryptography made this conference possible. 

Selecting presentations from such a large number of submissions was an ex- 
tremely difficult and challenging task. The program committee members, to- 
gether with external referees, spent thousands of hours of their precious time 
reviewing the submissions. At the completion of the selection process, the pro- 
gram committee received 875 review reports in total. In addition, the committee 
received several hundred comments during the three-week period of discussions. 

Taking this opportunity, I would like to thank all the program committee 
members for their time and dedication. Without their expertise in the state of the 
art in cryptography and their willingness to serve the data security community, 
the conference would not have had such a high-quality program. I would also 
like to thank the numerous external referees for their invaluable assistance in 
identifying the scientific and practical merits of the submissions. 

The quality of the program was further enhanced by two distinguished keynote 
speeches delivered by Prof. Tsutomu Matsumoto from Yokohama National Uni- 
versity in Japan, and Dr. Moti Yung from CertCo and Columbia University 
in the USA. On behalf of the program committee, I would like to thank both 
prominent pioneers in cryptography for their inspiring presentations. 

Thanks also go to the general chair Hank Wolfe from the University of Otago 
for successfully running the conference in such a beautiful town. It was a won- 
derful experience for me to work with Hank. 

The reviewing process benefited greatly from the advice of Bart Preneel and 
Wim Moreau on handling the reviewing software. I appreciated Colin Boyd’s 
assistance in editing the proceedings. My special thanks go to Lawrence Teo 
who acted as my assistant during the entire period of setting up the website, 
accepting, reviewing submissions, and editing the final proceedings. The year- 
long process would not have run so smoothly without his tireless help and superb 
technical skills in handling the software packages. 


September 2002 


Yuliang Zheng 
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Abstract. In P, Bernstein proposed a circuit-based implementation of 
the matrix step of the number field sieve factorization algorithm. These 
circuits offer an asymptotic cost reduction under the measure “construc- 
tion cost x run time” . We evaluate the cost of these circuits, in agreement 
with [1], but argue that compared to previously known methods these 
circuits can factor integers that are 1.17 times larger, rather than 3.01 
as claimed (and even this, only under the non-standard cost measure). 
We also propose an improved circuit design based on a new mesh rout- 
ing algorithm, and show that for factorization of 1024-bit integers the 
matrix step can, under an optimistic assumption about the matrix size, 
be completed within a day by a device that costs a few thousand dollars. 
We conclude that from a practical standpoint, the security of RSA relies 
exclusively on the hardness of the relation collection step of the number 
field sieve. 

Keywords: factorization, number field sieve, RSA, mesh routing 


1 Introduction 

In m, a new circuit-based approach is proposed for one of the steps of the 
number field sieve (NFS) integer factorization method, namely finding a linear 
relation in a large but sparse matrix. Unfortunately, the proposal from P has 
been misinterpreted on a large scale, even to the extent that announcements 
have been made that the results imply that common RSA key sizes no longer 
provide an adequate level of security. 

In this paper we attempt to give a more balanced interpretation of p. In 
particular, we show that 1024-bit RSA keys are as secure as many believed 
them to be. Actually, P provides compelling new evidence that supports a 
traditional and widely used method to evaluate the security of RSA moduli. We 
present a variant of the analysis of P that would suggest that, under the metric 
proposed in p, the number of digits of factorable integers n has grown by a 
factor 1.17 + o(l), for n —> oo (in p a factor of 3.01 + o(l) is mentioned). 

Y. Zheng (Ed.): ASIACRYPT 2002, LNCS 2501, pp. 1-ESI 2002. 
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We propose an improved circuit design, based on mesh routing rather than 
mesh sorting. To this end we describe a new routing algorithm whose perfor- 
mance in our setting seems optimal. With some further optimizations, the con- 
struction cost is reduced by several orders of magnitude compared to [Q. In the 
improved design the parallelization is gained essentially for free, since its cost is 
comparable to the cost of RAM needed just to store the input matrix. 

We estimate the cost of breaking 1024-bit RSA with current technology. Using 
custom-built hardware to implement the improved circuit, the NFS matrix step 
becomes surprisingly inexpensive. However, the theoretical analysis shows that 
the cost of the relation collection step cannot be significantly reduced, regardless 
of the cost of the matrix step. We thus conclude that the practical security of 
RSA for commonly used modulus sizes is not significantly affected by P . 

Section El reviews background on the NFS; it does not contain any new mate- 
rial and simply serves as an explanation and confirmation of the analysis from P . 
Section 0 sketches the circuit approach of P and considers its implications. Sec- 
tion 0 discusses various cost-aspects of the NFS. Section El focuses on 1024-bit 
numbers, presenting custom hardware for the NFS matrix step both following P 
and using the newly proposed circuit. Section0 summarizes our conclusions. Ap- 
pendicesEJandlBloutline the limitations of off-the-shelf parts for the mesh-based 
approach and the traditional approach, respectively. Throughout this paper, n 
denotes the composite integer to be factored. Prices are in US dollars. 

2 Background on the Number Field Sieve 

In theory and in practice the two main steps of the NFS are the relation collection 
step and the matrix step. We review their heuristic asymptotic runtime analysis 
because it enables us to stress several points that are important for a proper 
understanding of “standard-NFS” and of “circuit-NFS” as proposed in P . 

2.1 Smoothness. An integer is called U-smooth if all its prime factors are at 
most B. Following m 3 .16] we denote by L x \r ; a] any function of x that equals 

e («+o(l)) (log x)’' (log log x) 1 “ r ^ for 3 00) 

where a and r are real numbers with 0 < r < 1 and logarithms are natural. 
Thus, L x [r\ a\ + L x [r; 0\ = L x [r; max(a,/3)], L x [r; a]L x [r\ f3] = L x [r;a + 0\, 
L x [r\ a]L x [s\ 0\ = L x [r;a) if r < s, L x [r,a) k = L x [r, ka] and if a > 0 then 
(log x) k L x [r\ a] = L x [r; a] for any fixed k, and n(L x [r, a]) = L x [r\ a] where n(y) 
is the number of primes < y. 

Let a > 0, /? > 0, r, and s be fixed real numbers with 0 < s < r < 1. A 
random positive integer < L x [r: a] is L x [.s: /l] -smooth with probability 

L x [r — s; —a(r — s)/j3], for x — »• oo. 

We abbreviate L n to L and L[ 1/3, a] to L(a). Thus, a random integer < L[2/3, a] 
is L(/3) -smooth with probability U—cy./ (3/3)). The notation L 1 ' 901 '" +o ( 1 ) in P 
corresponds to L(1.901 • • • ) here. We write “£ — x ” for “( = a;+o(l) for n —> oo.” 
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2.2 Ordinary NFS. To factor n using the NFS, more or less following the 
approach from EH , one selects a positive integer 



for a positive value 8 that is yet to be determined, an integer m close to n l ^ d+1 \ 
a polynomial f{X) = Yli=o € Z[X\ such that f(rri) = 0 mod n with each /, 
of the same order of magnitude asm, a rational smoothness bound B r , and an 
algebraic smoothness bound B a . Other properties of these parameters are not 
relevant for our purposes. 

A pair (a, b) of integers is called a relation if a and b are coprime, b > 0, 
a — bm is B r -smooth, and b d f(a/b) is B„-smooth. Each relation corresponds to 
a sparse -D-dimensional bit vector with 

D fa 7r (B r ) + #{(p, r) : p prime < B a , f(r) = 0 mod p} fa tt (B r ) + tt (B a ) 

(cf. HU). In the relation collection step a set of more than D relations is sought. 
Given this set, one or more linear dependencies modulo 2 among the correspond- 
ing .D-dimensional bit vectors are constructed in the matrix step. Per dependency 
there is a chance of at least 50% (exactly 50% for RSA moduli) that a factor 
of n is found in the final step, the square root step. We discuss some issues of 
the relation collection and matrix steps that are relevant for P| . 

2.3 Relation Collection. We restrict the search for relations to the rectangle 
\a\ < L(a), 0 < b < L(a) and use B r and B a that are both Lift) (which does 
not imply that B r = B a ) , for a,/3 > 0 that are yet to be determined. It follows 
(cf. 12.11) that D = L{p). Furthermore, 

\a-bm\ =£[2/3, 1/6] and \b d f(a/b)\ = L[2/3, aS + l/S\. 

With El and under the usual assumption that a — bm and b d f{a/b) behave, 
with respect to smoothness probabilities, independently as random integers of 
comparable sizes, the probability that both are D(/d)-smooth is 



The search space contains 2 L(a) 2 = 2L(2a) = L{2a) pairs (a, b) and, due to the 
o(l), as many pairs (a, b) with gcd(a, 6) — 1. It follows that a and (3 must be 
chosen such that 



^3p 2 +2/8 
a ~ 6 P-8 ' 


We find that 


( 1 ) 
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2.4 Testing for Smoothness. The (a, b ) search space can be processed in 
L(2a) operations. If sufficient memory is available this can be done using siev- 
ing. Current PC implementations intended for the factorization of relatively 
small numbers usually have adequate memory for sieving. For much larger num- 
bers and current programs, sieving would become problematic. In that case, the 
search space can be processed in the “same” L(2a) operations (with an, admit- 
tedly, larger o(l)) but at a cost of only L(0) memory using the Elliptic Curve 
Method (ECM) embellished in any way one sees fit with trial division, Pollard 
rho, early aborts, etc., and run on any number K of processors in parallel to 
achieve a A'-fold speedup. This was observed many times (see for instance flTll 
4.15] and 0). Thus, despite the fact that current implementations of the relation 
collection require substantial memory, it is well known that asymptotically this 
step requires negligible memory without incurring, in theory, a runtime penalty 
- in practice, however, it is substantially slower than sieving. Intermediate so- 
lutions that exchange sieving memory for many tightly coupled processors with 
small memories could prove valuable too; see Q for an early example of this 
approach and P for various other interesting proposals that may turn out to be 
practically relevant. For the asymptotic argument, ECM suffices. 

In improved NFS from P it was necessary to use a “memory-free” method 
when searching for B 0 -smooth numbers (cf. 12.211 , in order to achieve the speedup. 
It was suggested in 0 that the ECM may be used for this purpose. Since memory 
usage was no concern for the analysis in @|, regular “memory- wasteful” sieving 
was suggested to test £? r -smoothness. 

2.5 The Matrix Step. The choices made in 12. 31 result in a bit matrix A con- 
sisting of D = L(j3) columns such that each column of A contains only L(0) 
nonzero entries. Denoting by w(A) the total number of nonzero entries of A (its 
weight), it follows that w(A) = L{8) ■ L(0) = L(fJ). Using a variety of tech- 
niques EE3], dependencies can be found after, essentially, O(D) multiplications 
of A times a bit vector. Since one matrix-by- vector multiplication can be done in 
0(w(A)) = L(8) operations, the matrix step can be completed in L(/3) 2 = L(2fj) 
operations. We use “standard-NFS” to refer to NFS that uses a matrix step with 
A(2/3) operation count. 

We will be concerned with a specific method for finding the dependencies in 
A, namely the block Wiedemann algorithm [5| |IEj whose outline is as follows. Let 
K be the blocking factor, i.e., the amount of parallelism desired. We may assume 
that either K = 1 or K > 32. Choose 2 K binary D-dimensional vectors iq, Uj for 
1 < hi < AT. For each i, compute the vectors A k Vi for k up to roughly 2 D/K, 
using repeated matrix-by-vector multiplication. For each such vector A k Vi, com- 
pute the inner products UjA k Vi, for all j. Only these inner products are saved, to 
conserve storage. From the inner products, compute certain polynomials fi(x), 
l = 1, . . . , AT of degree about D/K. Then evaluate fi(A)vi, for all l and i (take 
one Vi at a time and evaluate fi(A)vi for all l simultaneously using repeated 
matrix- by- vector multiplications) . From the result, K elements from the kernel 
of A can be computed. The procedure is probabilistic, but succeeds with high 
probability for K 1 [T7] . For K = 1 , the cost roughly doubles fTHj . 
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For reasonable blocking factors (K = 1 or 32 < K -C y/D), the block Wiede- 
mann algorithm involves about 3 D matrix-by-vector multiplications. These mul- 
tiplications dominate the cost of the matrix step; accordingly, the circuits of [Tj , 
and our variants thereof, aim to reduce their cost. Note that the multiplications 
are performed in 2 K separate chains where each chain involves repeated left- 
multiplication by A. The proposed circuits rely on this for their efficiency. Thus, 
they appear less suitable for other dependency-finding algorithms, such as block 
Lanczos m which requires just 2D multiplications. 


2.6 NFS Parameter Optimization for Matrix Exponent 2e > 1. With 
the relation collection and matrix steps in L(2a) and L(2(3) operations, respec- 
tively, the values for a, 0, and S that minimize the overall NFS operation count 
follow using Relation JU . However, we also need the optimal values if the “cost” 
of the matrix step is different from L{0) 2 \ in [Q “cost” is defined using a metric 
that is not always the same as operation count, so we need to analyse the NFS 
using alternative cost metrics. This can be done by allowing flexibility in the 
“cost” of the matrix step: we consider how to optimize the NFS parameters for 
an L(0) 2e matrix step, for some exponent e > 1/2. The corresponding relation 
collection operation count is fixed at L(2a) (cf. 12.11 . 

We balance the cost of the relation collection and matrix steps by taking 
a — ep. With flTJ) it follows that 


3(2e — 1)0 2 — epS — 2/5 — 0, 


so that 0 


v^-24(2< - l)j 

6(2e - 1) ' 


Minimizing 0 given e leads to 


S — \/3(2e — l)/e 2 

(2) 

and 


/? — 2\/e/(3(2e— l)) 2 . 

(3) 

Minimizing the resulting 


a — 2e\/e/(3(2e — l)) 2 

(4) 


leads to e = 1 and a^=2/3 2 / 3 : even though e < 1 would allow more “relaxed” 
relations (i.e., larger smoothness bounds and thus easier to find), the fact that 
more of such relations have to be found becomes counterproductive. It follows 
that an operation count of L{ 4/3 2 / 3 ) is optimal for relation collection, but that 
for 2e > 2 it is better to use suboptimal relation collection because otherwise the 
matrix step would dominate. We find the following optimal NFS parameters: 


1 < 2e < 2: 

5 ~ 3 1 / 3 , a — 2/3 2 / 3 , and 0 — 2 /3 2 / 3 , with operation counts of relation col- 

lection and matrix steps equal to L(4/3 2 / 3 ) and L( 4e/3 2 / 3 ), respectively. 
For e = 1 the operation counts of the two steps are the same (when ex- 
pressed in L) and the overall operation count is T(4/3 2 / 3 ) = ^((bd/Q) 1 / 3 ) = 
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L( 1.9229994- •• ). This corresponds to the heuristic asymptotic runtime of 
the NFS as given in m . We refer to these parameter choices as the ordinary 
parameter choices. 


2e > 2: 


5, a, and 0 as given by Relations © , © , and © , respectively, with operation 
count L(2a) for relation collection and cost L(2e0) for the matrix step, where 
L(2a) = L(2e/3). More in particular, we find the following values. 


2e = 5/2: 


S (5/3) 1 / 3 (6/5), a^= (5/3) 1 / 3 (5/6), and 0—( 5/3) 1/,3 (2/3), for an operation 
count and cost L((5/3) 4 / 3 ) = 1/(1.9760518 ••• ) for the relation collection 
and matrix steps, respectively. These values are familiar from P Section 6: 
Circuits]. With (1.9229994 • • • /1.9760518 • • • + o(l)) 3 ^ 0.9216 and equating 
operation count and cost, this suggests that factoring 0.9216 • 512 ~ 472-bit 
composites using NFS with matrix exponent 5/2 is comparable to factoring 
512-bit ones using standard-NFS with ordinary parameter choices (disre- 
garding the effects of the o(l)’s). 


2e = 3: 


<5 — 2/3 1 / 3 , a^=3 2 / 3 /2, and /3^=3 -1 / 3 , for an operation count and cost of 
L(3 2 / 3 ) = L{2. 0800838 • • ■ ) for the relation collection and matrix steps, re- 
spectively. 

2.7 Improved NFS. It was shown in P that ordinary NFS from HU, and as 
used in 12 .21 can be improved by using more than a single polynomial /. Let a and 
6 be as in 12. .SI a.nd l2.2j respectively, let (3 indicate the rational smoothness bound 
B r (i.e., B r = L(0)), and let 7 indicate the algebraic smoothness bound B a (i.e., 
B a = L( 7)). Let G be a set of B r /B a = L(0 — 7) different polynomials, each of 
degree d and common root m modulo n (as in 12.21 . A pair (a, 6) of integers is 
a relation if a and b are coprime, b > 0, a — bm is B r -smooth, and b d g(a/b) is 
B a -smooth for at least one g £ G. Let e be the matrix exponent. Balancing the 
cost of the relation collection and matrix steps it follows that a — e(3. 
Optimization leads to 



and for this 7 to 


^973 + 1 + v /l 87 3 ( 2 e+l) + l 
I87 2 


and 


^ 3 7 (— 4e - 1 + -\/187 3 (2e + 1) + 1) 

9 7 3 _ 4e 


It follows that for 2e = 2 the method from P gives an improvement over the 
ordinary method, namely L(l . 9018836 • • • ). The condition 0 > 7 leads to 2e < 
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7/3, so that for 2e > 7/3 (as in circuit-NFS, of. 13. Ill usage of the method from g] 
no longer leads to an improvement over the ordinary method. This explains why 
in P the method from P is used to select parameters for standard-NFS and 
why the ordinary method is used for circuit-NFS. 

With IP it follows that the sum of the (rational) sieving and ECM-based 
(algebraic) smoothness times from P (cf. last paragraph of 12.41) is minimized 
if 3 = 7 + 1/(3 (3$). The above formulas then lead to 2e = (3 + -\/l7)/4 = 
1.7807764 • • • . Therefore, unlike the ordinary parameter selection method, opti- 
mal relation collection for the improved method from plj occurs for an e with 
2e < 2: with e = 0.8903882 • • • the operation count for relation collection be- 
comes L{1. 8689328 • • • ). Thus, in principle, and depending on the cost function 
one is using, the improved method would be able to take advantage of a matrix 
step with exponent 2e < 2. If we disregard the matrix step and minimize the op- 
eration count of relation collection, this method yields a cost of L(l. 8689328 • • • ). 

3 The Circuits for Integer Factorization from fQ 

3.1 Matrix- by- Vector Multiplication Using Mesh Sorting. In P an in- 
teresting new mesh-sorting-based method is described to compute a matrix-by- 
vector product. Let A be the bit matrix from 12 .hi with D = L(/3) columns and 
weight w(A) = L(/3), and let m be the least power of 2 such that m 2 > w(A)+2D. 
Thus m = L(/3/2). We assume, without loss of generality, that A is square. A 
mesh ofmxra processors, each with 0(log D) = L(Q) memory, initially stores 
the matrix A and a not necessarily sparse .D-dimensional bit vector v. An ele- 
gant method is given that computes the product Av using repeated sorting in 
0(m) steps, where each step involves a small constant number of simultaneous 
operations on all m x m mesh processors. At the end of the computation Av 
can easily be extracted from the mesh. Furthermore, the mesh is immediately, 
without further changes to its state, ready for the computation of the product 
of A and the vector Av. We use “circuit-NFS” to refer to NFS that uses the 
mesh-sorting-based matrix step. 

3.2 The Throughput Cost Function from pQ. Judging by operation counts, 
the mesh-based algorithm is not competitive with the traditional way of com- 
puting Av: as indicated in 12., H it can be done in 0(w(A)) = L(f3) operations. The 
mesh-based computation takes 0(m) steps on all m X m mesh processors simul- 
taneously, resulting in an operation count per matrix-by-vector multiplication 
of 0(m 3 ) = L( 3/3/2). Iterating the matrix-by-vector multiplications L(0) times 
results in a mesh-sorting-based matrix step that requires L( 5/3/2) = L(/3 ) 5 / 2 
operations as opposed to just L(2f3) for the traditional approach. This explains 
the non-ordinary relation collection parameters used in 0 corresponding to the 
analysis given in l2.til for 2e = 5/2, something we comment upon below in IT .41 

However, the standard comparison of operation counts overlooks the follow- 
ing fact. The traditional approach requires memory 0(w(A) + D) = L(9) for 
storage of A and the vector; given that amount of memory it takes time L{2(3). 
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But given the m X m mesh, with m x m = L(j3), the mesh-based approach takes 
time just L( 3/3/2) because during each unit of time L(J3) operations are carried 
out simultaneously on the mesh. To capture the advantage of “active small pro- 
cessors” (as in the mesh) compared to “inactive memory” (as in the traditional 
approach) and the fact that their price is comparable, it is stipulated in QJ that 
the cost of factorization is “the product of the time and the cost of the machine.” 
We refer to this cost function as throughput cost, since it can be interpreted 
as measuring the equipment cost per unit problem-solving throughput. It is fre- 
quently used in VLSI design (where it’s known as “AT cost”, for AreaxTime), 
but apparently was not used previously in the context of computational number 
theory. 

It appears that throughput cost is indeed appropriate when a large number of 
problems must be solved during some long period of time while minimizing total 
expenses. This does not imply that throughput cost is always appropriate for 
assessing security, as illustrated by the following example. Suppose Carrol wishes 
to assess the risk of her encryption key being broken by each of two adversaries, 
Alice and Bob. Carrol knows that Alice has plans for a device that costs $1M 
and takes 50 years to break a key, and that Bob’s device costs $50M and takes 
1 year to break a key. In one scenario, each adversary has a $1M budget — 
clearly Alice is dangerous and Bob is not. In another scenario, each adversary 
has a $50M budget. This time both are dangerous, but Bob apparently forms a 
greater menace because he can break Carrol’s key within one year, while Alice 
still needs 50 years. Thus, the two devices have the same throughput cost, yet 
either can be more “dangerous” than the other, depending on external settings. 
The key point is that if Alice and Bob have many keys to break within 50 years 
then indeed their cost-per-key figures are identical, but the time it will take Bob 
to break Carrol’s key depends on her priority in his list of victims, and arguably 
Carrol should make the paranoid assumption that she is first. 

In Section 0 we comment further on performance measurement for the NFS. 

3.3 Application of the Throughput Cost. The time required for all matrix- 
by-vector multiplications on the mesh is L(3/3/2). The equipment cost of the 
mesh is the cost of m 2 small processors with L( 0) memory per processor, and 
is thus L(/3). The throughput cost, the product of the time and the cost of the 
equipment, is therefore L(5(3/2). The matrix step of standard-NFS requires time 
L(2,6) and equipment cost L(fj) for the memory, resulting in a throughput cost 
of L( 3/3). Thus, the throughput cost advantage of the mesh-based approach is a 
factor L(/3/ 2) if the two methods would use the same /3 (cf. Remark 13. 11 ) . 

The same observation applies if the standard-NFS matrix step is A-fold 
parallelized, for reasonable K (cf . \l. hi) : the time drops by a factor K which is 
cancelled (in the throughput cost) by a K times higher equipment cost because 
each participating processor needs the same memory L(Jj). In circuit-NFS (i.e., 
the mesh) a parallelization factor m 2 is used: the time drops by a factor only m 
(not m 2 ), but the equipment cost stays the same because memory L(0) suffices 
for each of the to 2 participating processors. Thus, with the throughput cost 
circuit-NFS achieves an advantage of m = L(/3/2). The mesh itself can of course 
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be FT-fold parallelized but the resulting A'- fold increase in equipment cost and 
A-fold drop in time cancel each other in the throughput cost JT] Section 4]. 

Remark 3.4. It can be argued that before evaluating an existing algorithm 
based on a new cost function, the algorithm first should be tuned to the new 
cost function. This is further commented upon below in 13.51 

3.5 Implication of the Throughput Cost. We consider the implication of 
the matrix step throughput cost of T(5/3/2) for circuit-NFS compared to L(3/3) 
for standard-NFS. In Q the well known fact is used that the throughput cost 
of relation collection is L( 2a) (cf . 12.111 : an operation count of L(2a) on a single 
processor with 1,(0) memory results in time L(2a), equipment cost 1,(0) , and 
throughput cost L(2a). This can be time-sliced in any way that is convenient, 
i.e., for any K use K processors of L(0) memory each and spend time L(2a)/K 
on all K processors simultaneously, resulting in the same throughput cost L(2a). 
Thus, for relation collection the throughput cost is proportional to the operation 
count. The analysis of 12. til applies with 2e = 5/2 and leads to an optimal overall 
circuit-NFS throughput cost of i(1.9760518 ■ • • ). As mentioned above and in 13.21 
the throughput cost and the operation count are equivalent for both relation 
collection and the matrix step of circuit-NFS. Thus, as calculated in 12. til circuit- 
NFS is from an operation count point of view less powerful than standard- 
NFS, losing already 40 bits in the 500-bit range (disregarding the o(l)’s) when 
compared to standard-NFS with ordinary parameter choices. This conclusion 
applies to any NFS implementation, such as many existing ones, where memory 
requirements are not multiplicatively included in the cost function. 

But operation count is not the point of view taken in [Q. There standard-NFS 
is compared to circuit-NFS in the following way. The parameters for standard- 
NFS are chosen under the assumption that the throughput cost of relation col- 
lection is L(3a): operation count L(2a) and memory cost L(a) for the sieving 
result in time L(2a)/K and equipment cost K ■ L(a) (for any A'-fold paral- 
lelization) and thus throughput cost L( 3a). This disregards the fact that long 
before Q appeared is was known that the use of L(a) memory per processor 
may be convenient, in practice and for relatively small numbers, but is by no 
means required (cf. E3- In any case, combined with L(3/3) for the through- 
put cost of the matrix step this leads to a — /3, implying that the analysis 
from PI with 2e = 2 applies, but that the resulting operation count must be 
raised to the 3/2-th power. In 0 the improvement from |3| mentioned in 12.71 
is used, leading to a throughput cost for standard-NFS of L{ 2.8528254 • • ■ ) 
(where 2.8528254- •• is 1.5 times the 1.9018836- •• referred to in 12.71 . Since 
(2.8528254 ••• /1.9760518 ) 3 = 3.0090581 ••• , it is suggested in P that the 

number of digits of factorable composites grows by a factor 3 if circuit-NFS is 
used instead of standard-NFS. 

3.6 Alternative Interpretation. How does the comparison between circuit- 
NFS and standard-NFS with respect to their throughput costs turn out if stan- 
dard-NFS is first properly tuned ( Remark 13. 4l) to the throughput cost function, 
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given the state of the art in, say, 1990 (cf. (TQ1 4.15]; also the year that 0 orig- 
inally appeared)? With throughput cost L(2a) for relation collection (cf. above 
and 12. 411 . the analysis from 12. 61 with 2e = 3 applies, resulting in a throughput cost 
of just £(2.0800838 • • • ) for standard-NFS. Since (2.0800838 • • • /1.9760518 • • • ) 3 
< 1.17, this would suggest that 1. 1771-digit composites can be factored using 
circuit-NFS for the throughput cost of 71-digit integers using standard-NFS. 
The significance of this comparison depends on whether or not the throughput 
cost is an acceptable way of measuring the cost of standard-NFS. If not, then 
the conclusion based on the operation count (as mentioned above) would be that 
circuit-NFS is slower than standard-NFS; but see Section 0] for a more complete 
picture. Other examples where it is recognized that the memory cost of relation 
collection is asymptotically not a concern can be found in H2i and 0, and axe 
implied by Pi- 

Remark 3.7. It can be argued that the approach in lit 61 of replacing the ordi- 
nary standard-NFS parameters by smaller smoothness bounds in order to make 
the matrix step easier corresponds to what happens in many actual NFS fac- 
torizations. There it is done not only to make the matrix step less cumbersome 
at the cost of somewhat more sieving, but also to make do with available PC 
memories. Each contributing PC uses the largest smoothness bounds and siev- 
ing range that fit conveniently and that cause minimal interference with the 
PC-owner’s real work. Thus, parameters may vary from machine to machine. 
This is combined with other memory saving methods such as “special-g’s." In 
any case, if insufficient memory is available for sieving with optimal ordinary 
parameters, one does not run out to buy more memory but settles for slight 
suboptimality, with the added benefit of an easier matrix step. See also 14.11 

Remark 3.8. In fTTlj . Wiener outlines a three-dimensional circuit for the ma- 
trix step, with structure that is optimal in a certain sense (when considering the 
cost of internal wiring). This design leads to a matrix step exponent of 2e = 7/3, 
compared to 5/2 in the designs of Q and this paper. However, adaptation of that 
design to two dimensions yields a matrix step exponent that is asymptotically 
identical to ours, and vice versa. Thus the approach of [12] is asymptotically 
equivalent to ours, while its practical cost remains to be evaluated. We note 
that in either approach, there are sound technological reasons to prefer the 2D 
variant. Interestingly, 2e = 7/3 is the point where improved and standard NFS 
become the same (cf. 1271 . 

4 Operation Count, Equipment Cost, and Real Time 

The asymptotic characteristics of standard-NFS and circuit-NFS with respect 
to their operation count, equipment, and real time spent are summarized in 
Table [D For non- 7/(0) equipment requirements it is specified if the main cost 
goes to memory (“RAM”), processing elements (“PEs”) with 7/(0) memory, or 
a square mesh as in I3.ll and “tuned” refers to the alternative analysis in 13.61 
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Table 1. NFS costs: operation count, equipment, and real time. 


relation collection matrix step 



overall 

operation 

count 

equipment 

time 

equipment 

time 

standard-NFS: 






J sieving 
\ no sieving 

X(1.90) 

/ h(0.95) RAM 

\m 

i(1.90) 

X(0.95) RAM 

L(1.90) 

tuned no sieving 

L(2.08) 

sequential: L(0) 
parallel: L(0.69) PEs 

L(2.08) 

L(1.39) 

L(0.69) RAM 

L(l. 39) 

circuit-NFS: 

JSfl.98) 

sequential: L( 0) 
parallel: L(0.79) PEs 

L(1.98) 

L(1.19) 

X(0.79) mesh 

L(1.19) 


The underlined operation counts are the same as the corresponding throughput 
costs. For the other operation count the throughput cost (not optimized if no 
sieving is used) follows by taking the maximum of the products of the figures 
in the “equipment” and “real time” columns. Relation collection, whether using 
sieving or not, allows almost arbitrary parallelization (as used in the last two 
rows of Table 0 . The amount of parallelization allowed in the matrix step of 
standard-NFS is much more limited (cl. 12. 51 : it is not used in Table [IJ 

4.1 Lowering the Cost of the Standard-NFS Matrix Step. We show 
at what cost the asymptotic advantages of the circuit-NFS matrix step (low 
throughput cost and short real time) can be matched, asymptotically, using 
the traditional approach to the matrix step. This requires a smaller matrix, 
i.e., lower smoothness bounds, and results therefore in slower relation collec- 
tion. We illustrate this with two examples. To get matching throughput costs 
for the matrix steps of standard-NFS and circuit-NFS, 0 must be chosen such 
that L{ 3/3) = L{{ 5/3) 4 / 3 ) = L(1.9760 • • • ), so that the matrix step of standard- 
NFS requires L{fi) = X(0.6586 • • • ) RAM and real time L(2/3) = X(1.3173 • • • ). 
Substituting this f3 in Relation o and minimizing a with respect to 6 we find 

<5) 

i.e., 6 — 1.3675 • • • and a — 1.0694 • • • , resulting in relation collection operation 
count X(2.1389 • • • ). Or, one could match the real time of the matrix steps: 
with L(20) = L(( 5/3) 1 / 3 ) = L(1.1856---) the matrix step of standard-NFS 
requires L(0.5928 • • • ) RAM and real time L(1.1856 • • • ). With Relation © we 
find that 5 — 1.3195 • • • , a — 1.1486 • • • , and relation collection operation count 
X(2.2973 • • • ). 

4.2 Operation Count Based Estimates. Operation count is the traditional 
way of measuring the cost of the NFS. It corresponds to the standard complexity 


12 


Arjen K. Lenstra et al. 


measure of “runtime” and neglects the cost of memory or other equipment that is 
needed to actually “run” the algorithm. It was used, for instance, in |TT) and 0 
and was analysed in 12.61 and 12.71 

It can be seen in Table |T| and was indicated in Id. 51 that the operation count 
for circuit-NFS is higher than for standard-NFS (assuming both methods are 
optimized with respect to the operation count): £(1.9760518 • • • ) as opposed to 
just L(l. 9018836 • • • ) when using the improved version (cf. 12.71 as in Table 0 
or as opposed to £( 1.9229994 • • ■ ) when using the ordinary version (cf. 12.61 as 
in Id-51 Thus, RSA moduli that are deemed sufficiently secure based on standard- 
NFS operation count security estimates, are even more secure when circuit-NFS 
is considered instead. Such estimates are common; see for instance tm and the 
“computationally equivalent” estimates in m- Security estimates based on 
the recommendations from m or the main ones (i.e., the conservative “compu- 
tationally equivalent” ones) from m are therefore not affected by the result 
from []p. Nevertheless, we agree with j2| that the PC-based realization suggested 
in H3, meant to present an at the time possibly realistic approach that users 
can relate to, may not be the best way to realize a certain operation count; see 
also the last paragraph of [El 2.4.7]. The estimates from [E5j are affected by p’ . 

Remark 4.3. Historically, in past factorization experiments the matrix step 
was always solved using a fraction of the effort required by relation collection. 
Moreover, the memory requirements of sieving-based relation collection have 
never turned out to be a serious problem (it was not even necessary to fall back 
to the memory-efficient ECM and its variations). Thus, despite the asymptotic 
analysis, extrapolation from past experience would predict that the bottleneck 
of the NFS method is relation collection, and that simple operation count is a 
better practical cost measure for NFS than other measures that are presumably 
more realistic. The choice of cost function in [H1H] was done accordingly. 

The findings of [T] further support this conservative approach, by going a long 
way towards closing the gap between the two measures of cost when applied to 
the NFS: 93% of the gap according to 13 .51 and 61% according to 13.61 

5 Hardware for the Matrix Step for 1024-Bit Moduli 

In this section we extrapolate current factoring knowledge to come up with rea- 
sonable estimates for the sizes of the matrix A that would have to be processed for 
the factorization of a 1024-bit composite when using ordinary relation collection 
(cf. 12.61) . and using slower relation collection according to matrix exponent 5/2 
as used in circuit-NFS. For the latter (smaller sized) matrix we consider how 
expensive it would be to build the mesh-sorting-based matrix-by-vector multi- 
plication circuit proposed in [I] using custom-built hardware and we estimate 
how much time the matrix step would take on the resulting device. We then 
propose an alternative mesh-based matrix-by-vector multiplication circuit and 
estimate its performance for both matrices, for custom-built and off-the-shelf 
hardware. 
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Throughout this section we are interested mainly in assessing feasibility, for 
the purpose of evaluating the security implications. Our assumptions will be 
somewhat optimistic, but we believe that the designs are fundamentally sound 
and give realistic indications of feasibility using technology that is available in 
the present or in the near future. 


5.1 Matrix Sizes. For the factorization of RSA-512 the matrix had about 6.7 
million columns and average column density about 63 |3|. There is no doubt 
that this matrix is considerably smaller than a matrix that would have resulted 
from ordinary relation collection as defined in 12.61 cf. Remark 13,71 Nevertheless, 
we make the optimistic assumption that this is the size that would result from 
ordinary relation collection. 

Combining this figure with the L{ 2/3 2 / 3 ) matrix size growth rate (cf. 12. till we 
find 


6 700000- 


T 2 io 2 4[1/3,2/3 2 / 3 ] 

T 2 5i 2 [l/3,2/3 2 /3] 


sa 1.8 • 10 10 


(cf. 12. Ill . Including the effect of the o(l) it is estimated that an optimal 1024-bit 
matrix would contain about 10 10 columns. We optimistically assume an average 
column density of about 100. We refer to this matrix as the “large” matrix. 

Correcting this matrix size for the L{{ 5/3) 1 / 3 (2/3)) matrix size growth rate 
for matrix exponent 5/2 (cf. 12. til we find 


1 . 8 - 10 10 - 


T 2 1024 [1/3, 2/3 2 / 3 ] 


8.7- 10 7 . 


We arrive at an estimate of about 4 ■ 10 7 columns for the circuit-NFS 1024- 
bit matrix. We again, optimistically, assume that the average column density is 
about 100. We refer to this matrix as the “small” matrix. 


5.2 Estimated Relation Collection Cost. Relation collection for RSA-512 
could have been done in about 8 years on a 1GHz PC j3J- Since 


' L 2 5i 2 [l/3,4/3 2 / 3 ] 


6 - 10 7 


we estimate that generating the large matrix would require about a year on 
about 30 million 1GHz PCs with large memories (or more PC-time but less 
memory when using alternative smoothness tests - keep in mind, though, that 
it may be possible to achieve the same operation count using different hardware, 
as rightly noted in [T] and speculated in [T2 2.4.7]). With 


L 2 io24 [1/3, (5/3) 4 / 3 ] 
T 2 i 02 4[l/3,4/3 2 / 3 ] 


it follows that generating the smaller matrix would require about 5 times the 
above effort. Neither computation is infeasible. But, it can be argued that 1024- 
bit RSA moduli provide a reasonable level of security just based on the operation 
count of the relation collection step. 
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5.3 Processing the “Small” Matrix Using Bernstein’s Circuits. We 

estimate the size of the circuit required to implement the mesh circuit of when 
the NFS parameters are optimized for the throughput cost function and 1024-bit 
composites. We then derive a rough prediction of the associated costs when the 
mesh is implemented by custom hardware using current VLSI technology. In this 
subsection we use the circuit exactly as described in 0 ; the next subsections will 
make several improvements, including those listed as future plans in 0. 

In EQ, the algorithm used for finding dependencies among the columns of A is 
Wiedemann’s original algorithm ^2|, which is a special case of block Wiedemann 
with blocking factor K = 1 (cf. 12.51 . In the first stage (inner product computa- 
tion), we are given the sparse D x D matrix A and some pair of vectors u, v and 
wish to calculate uA k v for k = 1 .... , 2D. The polynomial evaluation stage is 
slightly different, but the designs given below can be easily adapted so we will 
not discuss it explicitly. 

The mesh consists of m x m nodes, where m 2 > w(A) + 2D (cf. 13.11) . By 
assumption, w(A) « 4 • 10 9 and D ta 4 • 10 7 so we may choose m = 63256. To 
execute the sorting-based algorithm, each node consists mainly of 3 registers of 
[log 2 (4 • 10 7 )] = 26 bits each, a 26-bit compare-exchange element (in at least half 
of the nodes), and some logic for tracking the current stage of the algorithm. 
Input, namely the nonzero elements of A and the initial vector v, is loaded 
just once so this can be done serially. The mesh computes the vectors A k v by 
repeated matrix-by- vector multiplication, and following each such multiplication 
it calculates the inner product u(A k v) and outputs this single bit. 

In standard CMOS VLSI design, a single-bit register (i.e., a D-type edge- 
triggered flip-flop) requires about 8 transistors, which amounts to 624 transistors 
per node. To account for the logic and additional overheads such as a clock 
distribution network, we shall assume an average of 2000 transistors per node 
for a total of 8.0 ■ 10 12 transistors in the mesh. 

As a representative of current technology available on large scale we consider 
Intel’s latest Pentium processor, the Pentium 4 “Northwood” (0.13/./m 2 feature 
size process). A single Northwood chip (inclusive of its on-board L2 cache) con- 
tains 5.5 TO 7 transistors, and can be manufactured in dies of size 131mm 2 on wa- 
fers of diameter 300mm, i.e., about 530 chips per wafer when disregarding defects. 
The 1.6GHz variant is currently sold at $140 in retail channels. By transistor 
count, the complete mesh would require about (8.0 • 10 12 ) / (5.5 • 10 7 ) « 145 500 
Northwood-sized dies or about 273 wafers. Using the above per-chip price figure 
naively, the construction cost is about $20M. Alternatively, assuming a wafer 
cost of about $5,000 we get a construction cost of roughly $1.4M, and the initial 
costs (e.g., mask creation) are under $1M. 

The matter of inter-chip communication is problematic. The mesh as a whole 
needs very few external lines (serial input, 1-bit output, clock, and power). How- 
ever, a chip consisting of s x s nodes has 4s — 4 nodes on its edges, and each 
of these needs two 26-bit bidirectional links with its neighbor on an adjacent 
chip, for a total of about 2 • 2 • 26 • 4s = 416s connections. Moreover, such con- 
nections typically do not support the full 1GHz clock rate, so to achieve the 
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necessary bandwidth we will need about 4 times as many connections: 1664s. 
While standard wiring technology cannot provide such enormous density, the 
following scheme seems plausible. Emerging “flip-chip” technologies allow direct 
connections between chips that are placed face-to-face, at a density of 277 con- 
nections per mm 2 (i.e., 60ps array pitch). We cut each wafer into the shape 
of a cross, and arrange the wafers in a two-dimensional grid with the arms of 
adjacent wafers in full overlap. The central square of each cross-shaped wafer 
contains mesh nodes, and the arms are dedicated to inter-wafer connections. 
Simple calculation shows that with the above connection density, if 40% of the 
(uncut) wafer area is used for mesh nodes then there is sufficient room left for 
the connection pads and associated circuitry. This disregards the issues of de- 
lays (mesh edges that cross wafer boundaries are realized by longer wires and 
are thus slower than the rest), and of the defects which are bound to occur. To 
address these, adaptation of the algorithm is needed. Assuming the algorithmic 
issues are surmountable, the inter-wafer communication entails a cost increase 
by a factor of about 3, to $4.1M. 

According to P Section 4], a matrix-by- vector multiplication consists of, 
essentially, three sort operations on the m x m mesh. Each sort operation takes 
8 m steps, where each step consists of a compare-exchange operation between 26- 
bit registers of adjacent nodes. Thus, multiplication requires 3 • 8m « 1.52 • 10 6 
steps. Assuming that each step takes a single clock cycle at a 1GHz clock rate, 
we get a throughput of 659 multiplications per second. 

Basically, Wiedemann’s algorithm requires 3 D multiplications. Alas, the use 
of blocking factor K = 1 entails some additional costs. First, the number of 
multiplications roughly doubles due to the possibility of failure (cf. 12.51 . More- 
over, the algorithm will yield a single vector from the kernel of A, whereas the 
Number Field Sieve requires several linearly independent kernel elements: half 
of these yield a trivial congruence (cl. 12.21 . and moreover certain NFS optimiza- 
tions necessitate discarding most of the vectors. In RSA-512, a total of about 10 
kernel vectors were needed. Fortunately, getting additional vectors is likely to be 
cheaper than getting the first one (this is implicit in JEH Algorithm 1]). Overall, 
we expect the number of multiplications to be roughly 2 • 3° • 3 D = 20 D. Thus, 
the expected total running time is roughly 20 • 4 • 10 7 /659 ~ 1 210 000 seconds, 
or 14 days. The throughput cost is thus 5.10 • 10 12 $ X sec. 

If we increase the blocking factor from 1 to over 32 and handle the multi- 
plication chains sequentially on a single mesh, then only 3 D multiplications are 
needed (£Q considers this but claims that it will not change the cost of compu- 
tation; that is true only up to constant factors). In this case the time decreases 
to 50 hours, and the throughput cost decreases to 7.4 ■ 10 11 $ x sec. 

Heat dissipation (i.e., power consumption) may limit the node density and 
clock rate of the device, and needs to be analysed. Note however that this limita- 
tion is technological rather than theoretical, since in principle the mesh sorting 
algorithm can be efficiently implemented using reversible gates and arbitrarily 
low heat dissipation. 
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5.4 A Routing-Based Circuit. The above analysis refers to the mesh circuit 
described in [T] , which relies on the novel use of mesh sorting for matrix- by- vector 
multiplication. We now present an alternative design, based on mesh routing. 
This design performs a single routing operation per multiplication, compared to 
three sorting operations (where even a single sorting operation is slower than 
routing). The resulting design has a reduced cost, improved fault tolerance and 
very simple local control. Moreover, its inherent flexibility allows further im- 
provements, as discussed in the next section. The basic design is as follows. 

For simplicity assume that each of the D columns of the matrix has weight 
exactly h (here h = 100), and that the nonzero elements of A are uniformly 
distributed (both assumptions can be easily relaxed). Let to = \/D ■ h. We divide 
the to X to mesh into D blocks of size Vh x s/h. Let Si denote the *-th block in 
row-major order (* € {1, . . . , £>}), and let t, denote the node in the upper left 
corner of S). We say that f, is the target of the value i. Each node holds two 
log 2 -D-bit values, Q[i) and R[i]. Each target node U also contains a single-bit 
value P[i\. For repeated multiplication of A and v, the mesh is initialized as 
follows: the i-th entry of v is loaded into P[i], and the row indices of the nonzero 
elements in column i G {!,... , D} of A are stored (in arbitrary order) in the 
Q[-] of the nodes in 5). Each multiplication is performed thus: 

1. For all i, broadcast the value of P[i] from t t to the rest of the nodes in Si 
(this can be accomplished in 2 Vh — 2 steps). 

2. For all i and every node j in S.; : if P[i] = 1 then R.[j] <— Q[j], else R[j] <— nil 
(where nil is some distinguished value outside {1, . . . , D}). 

3. P[i] 0 for all i 

4. Invoke a mesh-based packet routing algorithm on the R[-], such that each 
non-nil value R[j] is routed to its target node t R yy Each time a value i 
arrives at its target ti, discard it and flip P[i\. 

After these steps, P[-) contain the result of the multiplication, and the mesh is 
ready for the next multiplication. As before, in the inner product computation 
stage of the Wiedemann algorithm, we need only compute uA k v for some vector 
u, so we load the i-th coordinate of u into node ti during initialization, and com- 
pute the single-bit result uA k v inside the mesh during the next multiplication. 

There remains the choice of a routing algorithm. Many candidates exist (see 
JZJ for a survey). To minimize hardware cost, we restrict our attention to algo- 
rithms for the “one packet” model, in which at each step every node holds at 
most one packet (and consequentially each node can send at most one packet 
and receive at most one packet per step). Note that this rules out most known al- 
gorithms, including those for the well-studied “hot-potato” routing model which 
provides a register for every edge. Since we do binary multiplication, the rout- 
ing problem has the following unusual property: pairwise packet annihilation is 
allowed. That is, pairs of packets with identical values may be “cancelled out” 
without affecting the result of the computation. This relaxation can greatly 
reduce the congestion caused by multiple packets converging to a common desti- 
nation. Indeed this seems to render commonly-cited lower bounds inapplicable, 
and we are not aware of any discussion of this variant in the literature. While 
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known routing and sorting algorithms can be adapted to our task, we suggest a 
new routing algorithm that seems optimal, based on our empirical tests. 

The algorithm, which we call clockwise transposition routing, has an excep- 
tionally simple control structure which consists of repeating 4 steps. Each step 
involves compare-exchange operations on pairs of neighboring nodes, such that 
the exchange is performed iff it reduces the distance-to-target of the non-nil 
value (out of at most 2) that is farthest from its target along the relevant di- 
rection. This boils down to comparison of the target row indices (for vertically 
adjacent nodes) or target column indices (for horizontally adjacent nodes). For 
instance, for horizontally adjacent nodes i,i + 1 such that resides on column 
Cj and t R [ i+ 1 ] resides on column c i+ \, an exchange of i and i+1 will be done iff 
Cj > Cj+ 1 . To this we add annihilation: if R[i] = R[i + 1] then both are replaced 
by nil. 

The first step of clockwise transposition routing consists of compare-exchange 
between each node residing on an odd row with the node above it (if any). The 
second step consists of compare-exchange between each node residing on an odd 
column with the node to its right (if any). The third and fourth steps are similar 
to the first and second respectively, except that they involve the neighbors in 
the opposite direction. It is easily seen that each node simply performs compare- 
exchanges with its four neighbors in either clockwise or counterclockwise order. 

We do not yet have a theoretical analysis of this algorithm. However, we 
have simulated it on numerous inputs of sizes up to 13 000 x 13 000 with random 
inputs drawn from a distribution mimicking that of the above mesh, as well 
as the simple distribution that puts a random value in every node. In all runs 
(except for very small meshes), we have not observed even a single case where 
the running time exceeded 2m steps. This is just two steps from the trivial lower 
bound 2m — 2. 

Our algorithm is a generalization of odd-even transposition sort, with a sched- 
ule that is identical to the “2D-bubblesort” algorithm of [S] but with different 
compare-exchange elements. The change from sorting to routing is indeed quite 
beneficial, as [E] shows that 2D-bubblesort is considerably slower than the ob- 
served performance of our clockwise transposition routing. The new algorithm 
appears to be much faster than the 8m sorting algorithm (due to Schimmler) used 
in P, and its local control is very simple compared to the complicated recursive 
algorithms that achieve the 3m-step lower bound on mesh sorting (cf. [EJ). 

A physical realization of the mesh will contain many local faults (especially 
for devices that are wafer-scale or larger, as discussed below). In the routing- 
based mesh, we can handle local defects by algorithmic means as follows. Each 
node shall contain 4 additional state bits, indicating whether each of its 4 neigh- 
bors is “disabled” . These bits are loaded during device initialization, after map- 
ping out the defects. The compare-exchange logic is augmented such that if node 
i has a “disabled” neighbor in direction A then i never performs an exchange in 
that direction, but always performs the exchange in the two directions orthogo- 
nal to A. This allows us to “close off” arbitrary rectangular regions of the mesh, 
such that values that reach a “closed-off” region from outside are routed along 
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its perimeter. We add a few spare nodes to the mesh, and manipulate the mesh 
inputs such that the spare effectively replace the nodes of the in closed-off re- 
gions. We conjecture that the local disturbance caused by a few small closed-off 
regions will not have a significant effect on the routing performance. 

Going back to the cost evaluation, we see that replacing the sorting-based 
mesh with a routing-based mesh reduces time by a factor of 3 ■ 8/2 = 12. Also, 
note that the Q[-] values are used just once per multiplication, and can thus be 
stored in slower DRAM cells in the vicinity of the node. DRAM cells are much 
smaller than edge-triggered flip-flops, since they require only one transistor and 
one capacitor per bit. Moreover, the regular structure of DRAM banks allows for 
very dense packing. Using large banks of embedded DRAM (which are shared 
by many nodes in their vicinity), the amortized chip area per DRAM bit is 
about 0.7pm 2 . Our Northwood-based estimates lead to 2.38pm 2 per transistor, 
so we surmise that for our purposes a DRAM bit costs 1/3.4 as much as a logic 
transistor, or about 1/27 as much as a flip-flop. For simplicity, we ignore the 
circuitry needed to retrieve the values from DRAM — this can be done cheaply 
by temporarily wiring chains of adjacent R[-] into shift registers. In terms of 
circuit size, we effectively eliminate two of the three large registers per node, 
and some associated logic, so the routing-based mesh is about 3 times cheaper 
to manufacture. Overall, we gain a reduction of a factor 3 • 12 = 36 in the 
throughput cost. 

5.5 An Improved Routing-Based Circuit. We now tweak the routing- 
based circuit design to gain additional cost reductions. Compared to the sorting- 
based design (cf. 15.311 , these will yield a (constant-factor) improvement by sev- 
eral order of magnitudes. While asymptotically insignificant, this suggests a very 
practical device for the NFS matrix step of 1024-bit moduli. Moreover, it shows 
that already for 1024-bit moduli, the cost of parallelization can be negligible 
compared to the cost of the RAM needed to store the input, and thus the speed 
advantage is gained essentially for free. 

The first improvement follows from increasing the density of targets. Let 
p denote the average number of P[] registers per node. In the above scheme, 
p = /i -1 ps 1/100. The total number of P[-] registers is fixed at D, so if we increase 
p the number of mesh nodes decreases by hp. However, we no longer have enough 
mesh nodes to route all the hD nonzero entries of A simultaneously. We address 
this by partially serializing the routing process, as follows. Instead of storing 
one matrix entry Q[-] per node, we store hp such values per node: for p > 1, 
each node j is “in charge” of a set of p matrix columns Cj = {cjp , . . . , c J:P }, in 
the sense that node j contains the registers Pfcyp], . . . , P[c JiP ], and the nonzero 
elements of A in columns c h j , . . . , Cj iP . To carry out a multiplication we perform 
hp iterations, where each iteration consists of retrieving the next such nonzero 
element (or skipping it, depending on the result of the previous multiplication) 
and then performing clockwise transposition routing as before. 

The second improvement follows from using block Wiedemann with a block- 
ing factor K > 1 (cf. 12.51) . Besides reducing the number of multiplications by a 
factor of roughly 2 3 ° (cf. 15.51) , this produces an opportunity for reducing the cost 
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of multiplication, as follows. Recall that in block Wiedemann, we need to perform 
K multiplication chains of the form A k Vi, for i = 1 ..... A and k = 1, . . . , 2 D/K, 
and later again, for k = 1 , . . . , D/K. The idea is to perform several chains in 
parallel on a single mesh, reusing most resources (in particular, the storage taken 
by A). For simplicity, we will consider handling all K chains on one mesh. In the 
routing-based circuits described so far, each node emitted at most one message 
per routing operation — a matrix row index, which implies the address of the 
target cell. The information content of this message (or its absence) is a single 
bit. Consider attaching K bits of information to this message: log 2 (-D) bits for 
the row index, and K bits of “payload” , one bit per multiplication chain. 

Combining the two generalizations gives the following algorithm, for 0 < p < 
1 and integer K > 1. The case 0 < p < 1 requires distributing the entries of each 
matrix column among several mesh nodes, as in 15.41 but its cost is similar. 

Let be a partition of {1, ... , D}, Cj = { c : (j — l)p < c— 1 < 

jp}. Each node j G {1, . . . , D/p} contains single-bit registers Pi[c\ and P-[c ] for 
all i = 1 ..... A' and c G Cj, and a register Rj of size log 2 (D) + K. Node j also 
contains a list Qj = {(r, c) | A r c = l,c G Cj} of the nonzero matrix entries in 
the columns Cj of A, and an index Ij into Cj. Initially, load the vectors into 
the Pi[-] registers. Each multiplication is then performed thus: 

1. For all i and c, P'[c] 4— 0. For all j, Ij 4— 1. 

2. Repeat hp times: 

(a) For all j: (r, c) G- Qj[Ij\, Ij 4 - Ij + 1, R\j] 4 - ( r , P 1 [c], . . . , P K [c]). 

(b) Invoke the clockwise transposition routing algorithm on the i?[-], such 
that each value R.[j] = (r, . . .) is routed to the node tj for which r G Cj. 
During routing, whenever a node j receives a message {r, pi, . . . ,Pk) 
such that r G Cj, it sets P'[r\ 4- P'[r] ® Pi for i = l .... ,K and 
discards the message. Moreover, whenever packets (r, pi, . . . ,px) and 
(r, p[, . . . ,p' K ) in adjacent nodes are compared, they are combined: one 
is annihilated and the other is replaced by (r, Pi © p\, ■ ■ ■ ,Pk CD p' K ). 

3. Pi[c ] 4- P'[c) for all i and c. 

After these steps, Pj[‘] contain the bits of A k v-i and the mesh is ready for 
the next multiplication. We need to compute and output the inner products 
Uj(A k Vi ) for some vectors ui, . . . ,uk, and this computation should be com- 
pleted before the next multiplication is done. In general, this seems to require 
S(K 2 ) additional wires between neighboring mesh nodes and additional reg- 
isters. However, usually the u j are chosen to have weight 1 or 2, so the cost 
of computing these inner products can be kept very low. Also, note that the 
number of routed messages is now doubled, because previously only half the 
nodes sent non-nil messages. However, empirically it appears that the clockwise 
transposition routing algorithm handles the full load without any slowdown. 

It remains to determine the optimal values of K and p. This involves imple- 
mentation details and technological quirks, and obtaining precise figures appears 
rather hard. We thus derive expressions for the various cost measures, based on 
parameters which can characterize a wide range of implementations. We then 
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substitute values that reasonably represent today’s technology, and optimize for 
these. The parameters are as follows: 

— Let At, A f and Ad be the average wafer area occupied by a logic transis- 
tor, an edge-triggered flip-flop and a DRAM bit, respectively (including the 
related wires). 

— Let A w be the area of a wafer. 

— Let A p be the wafer area occupied by an inter- wafer connection pad (cf. 15.311 . 

— Let C w be the construction cost of a single wafer (in large quantities). 

— Let Cd be the cost of a DRAM bit that is stored off the wafers (this is relevant 
only to the FPGA design of Appendix IXll. 

— Let Td be the reciprocal of the memory DRAM access bandwidth of a single 
wafer (relevant only to FPGA). 

— Let 71 be the time it takes for signals to propagate through a length of 
circuitry (averaged over logic, wires, etc.). 

— Let T p be the time it takes to transmit one bit through a wafer I/O pad. 

We consider three implementation approaches: custom-produced “logic” wa- 
fers (as used in 15. 31 with which we maintain consistency), custom-produced 
“DRAM” wafers (which reduce the size of DRAM cells at the expense of size 
and speed of logic transistors) and an FPGA-based design using off-the-shelf 
parts (cf. Appendix ^). Rough estimates of the respective parameters are given 
in Table 0 

The cost of the matrix step is derived with some additional approximations: 

— The number of mesh nodes is D/p. 

— The values in Qj[-} (i.e., the nonzero entries of A) can be stored in DRAM 
banks in the vicinity of the nodes, where (with an efficient representation) 
they occupy hp\og 2 (D)Ad per node. 

— The Pi [c] registers can be moved to DRAM banks, where they occupy pKAd 
per node. 

— The P'j [c] registers can also be moved to DRAM. However, to update the 
DRAM when a message is received we need additional storage. Throughout 
the D/p steps of a routing operation, each node gets 1 message on average (or 
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less, due to annihilation). Thus log 2 {p) + K latch bits per node would suffice 
(if they are still in use when another message arrives, it can be forwarded to 
another node and handled when it arrives again). This occupies pKAf per 
node when p < 2, and pKAd + 2(log 2 (p) + K)Af per node when p > 2. 

— The bitwise logic related to the Pi[c] registers, the P[ [c] and the last K bits 
of the R\j\ registers together occupy 20 • min(p, 2)KA t per node. 

— The i?[j] registers occupy (log 2 (D) + K)Af per node 

— The rest of the mesh circuitry (clock distribution, DRAM access, clockwise 
transposition routing, I/O handling, inner products, etc.) occupies (200 + 
301og 2 (D))M t per node. 

— Let An be total area of a mesh node, obtained by summing the above (we 
get different formulas for p < 2 vs. p > 2). 

— Let Am = A n D/p be the total area of the mesh nodes (excluding inter- wafer 
connections). 

— Let M u , be the number of wafers required to implement the matrix step, 
and let M v be the number of inter-wafer connection pads per wafer. For 
single- wafer designs, N w = l/\_A w /A rn \ and M p = 0. For multiple-wafer de- 
signs, these values are derived from equations for wafer area and bandwidth: 
MruA* = Am+AfnATpAp, 7V P = 4-2- y/D/QxSQ- ( log 2 D+K)-T p /{yp^Ti ). 

— Let Md be total number of DRAM bits (obtained by evaluating A m for 
A f = A t = 0, Ad = 1). 

— Let N a be the number of DRAM bit accesses (reads+writes) performed 
throughout the matrix step. We get: N a = 3D(2hDK + Dhlog 2 (D)), where 
the first term due to the the P/[e] updates and the second term accounts for 
reading the matrix entries. 

— Let C s = N W C W + MdCd be the total construction cost for the matrix step. 

— The full block Wiedemann algorithm consists of 3 D/K matrix- by- vector 
multiplications, each of which consists of hp routing operations, each of which 
consists of 2^ jDjp clocks. Each clock cycle takes Ti\fA a . 

Let 7 ' s be the time taken by the full block Wiedemann algorithm. We get: 

T s = 6D 3 / 2 hTi^An/K + N a T d /N w . 

Table Ellists the cost of the improved routing-based circuit for several choices 
of p and K, according to the above. It also lists the cost of the sorting-based 
circuits (cf. 15. Mil and the PC implementation of Appendix [El The lines marked 
by “(opt)” give the parameter choice that minimize the throughput cost for each 
type of hardware. 

The second line describes a routing-based design whose throughput cost is 
roughly 45 000 times lower than that of the original sorting-based circuit (or 6 700 
times lower than sorting with K 1). Notably, this is a single- wafer device, 
which completely solves the technological problem of connecting multiple wafers 
with millions of parallel wires, as necessary in the original design of P . The third 
line shows that significant parallelism can be gained essentially for free: here, 88% 
of the wafer area is occupied simply by the DRAM banks needed to store the 
input matrix, so further reduction in construction cost seems impossible. 
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Table 3. Cost of the matrix step for the “small” matrix 


Algorithm 

Impleme- 

P 

K 

Wafers/ 

chips/ 

COSt c a 

1 

! ^ 

Throughput 
C°% ($ X sec) 

Routing 

Customl 

0.51 

107 

19 

$94,600 

1440 (24 min) 

1.36-10“ (opt) 

Routing 

Custom2 

42.10 

208 

1 

$5,000 

21900 (6.1 hours) 

1.10-10“ (opt) 

Routing 

Custom2 

216.16 

42 

0.37 

$2,500 

341 000 (4 days) 

8.53-10“ 

Routing 

Customl 

0.11 

532 

288 

$1,440,000 

180 (3 min) 

2.60-10“ 

Routing 

FPGA 

5473.24 

25 

64 

$13,800 

15 900 000 (184 days) 

2.20-10 11 (opt) 

Routing 

FPGA 

243.35 

60 

2500 

$380,000 

1 420 000 (17 days) 

5.40-10 11 

Sorting 

Customl 


1 

273 

$4,100,000 

1210 000 (14 days) 

4.96-10 1 * 

Sorting 

Customl 


» i 

273 

$4,100,000 

182 000 (50 hours) 

7.44-10 11 

Serial 

PCs 


32 

1 

$4,460 

125 000 000 (4 years) 

5.59-10 11 

Tree 

PCs 


32 

66 

$24,000 

2 290 000 (27 days) 

5.52-10 lu 


Table 4. Cost of the matrix step for the “large” matrix 



5.6 An Improved Circuit for the “Large” Matrix. The large matrix 
resulting from ordinary relation collection contains 250 times more columns: 
D « 10 10 . We assume that the average column density remains h = 100. It is no 
longer possible to fit the device on a single wafer, so the feasibility of the mesh 
design now depends critically on the ability to make high bandwidth inter-wafer 
connections (cf. lb .51 . 

Using the formulas given in the previous section, we obtain the costs in Ta- 
l)le 01 for the custom and FPGA implementations, for various parameter choices. 
The third line shows that here too, significant parallelism can be attained at 
very little cost (88% of the wafer area is occupied by DRAM storing the input). 
As can be seen, the improved mesh is quite feasible also for the large matrix, 
and its cost is a small fraction of the cost of the alternatives, and of relation 
collection. 

5.7 Summary of Hardware Findings. The improved design of lb.bl and lb.bl 
when implemented using custom hardware, appears feasible for both matrix 
sizes. Moreover, it is very attractive when compared to the traditional serial 
implementations (though appropriate parallelization techniques partially close 
this gap; see Appendix 0 - However, these conclusions are based on numerous 
assumptions, some quite optimistic. Much more research, and possibly actual 
relation collection experiments, would have to be carried out to get a clearer 
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grasp of the actual cost (time and money) of both the relation collection and 
matrix steps for 1024-bit moduli. 

In light of the above, one may try to improve the overall performance of 
NFS by re-balancing the relation collection step and the matrix step, i.e., by 
increasing the smoothness bounds (the opposite of the approach sketched in 
Remark 15771) . For ordinary NFS, asymptotically this is impossible since the pa- 
rameters used for ordinary relation collection (i.e., the “large” matrix) already 
minimize the cost of relation collection (cf. It .(ill . For improved NFS that is ap- 
plied to a single factorization (cf. l2.7H . if we disregard the cost of the matrix step 
and optimize just for relation collection then we can expect a cost reduction of 
about L 2 io24[1/3,1.9018836---]/R 2 io24[1/3,1.8689328---] « 2.8. 

If many integers in a large range must be factored — a reasonable assumption 
given our interpretation of the throughput cost (cf. 13-211 — a much faster method 
exists (cf. 0). It remains to be studied whether these asymptotic properties 
indeed hold for 1024-bit moduli and what are the practical implications of the 
methods from p. 

6 Conclusion 

We conclude that methods to evaluate the security of RSA moduli that are based 
on the traditional operation count are not affected by the circuits proposed in p . 
Although the traditional estimates underestimate the difficulty of factoring, P 
provides yet another reason — other than the mostly historical reasons used so 
far — not to rely too much on supposedly more accurate cost-based estimates 
for the NFS. 

We have shown that the suggestion made in p that the number of digits 
of factorable numbers has grown by a factor of 3, is based on an argument 
that may not be to everyone’s taste. An alternative interpretation leads to a 
factor 1.17, under the cost function defined in JJJ. The most traditional cost 
function, however, even leads to a factor 0.92. 

Finally, we have presented an improved design for a mesh-based implemen- 
tation of the linear algebra stage of the NFS. For an optimistically estimated 
1024-bit factorization, our analysis suggests that a linear dependency between 
the columns of the sparse matrix can be found within a few hours by a device 
that costs about $5,000. At the very least, this is an additional argument not to 
rely on the alleged difficulty of the matrix step when evaluating the difficulty of 
factoring. As mentioned in [I] there are many other possibilities to be explored. 
Further study — and unbiased interpretation of the results — should eventu- 
ally enable the cryptographic research and users communities to assess the true 
impact of P and the method proposed in 15.51 
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A Using Off-the-Shelf Hardware for the Circuit Approach 

In subsections lb.3Hb.bl we were concerned primarily with custom-produced hard- 
ware, in accordance with the focus on throughput cost. In practice, however, we 
are often concerned about solving a small number of factorization problems. In 
this case, it may be preferable to use off-the-shelf components (especially if they 
can be dismantled and reused, or if discreteness is desired). 

Tables El 01 in Section 15.51 contain the parameters and cost estimates for off- 
the-shelf hardware, using the following scheme. FPGA chips are connected in a 
two-dimensional grid, where each chip holds a block of mesh nodes. The FPGA 
we consider is the Altera Stratix EP1S25F1020C7, which is expected to cost 
about $150 in large quantities in mid-2003. It contains 2Mbit of DRAM and 
25 660 “logic elements” that consist each of a single-bit register and some con- 
figurable logic. Since on-chip DRAM is scant, we connect each FPGA to several 
DRAM chips. The FPGA has 706 I/O pins that can provide about 70Gbit/sec 
of bandwidth to the DRAM chips (we can fully utilize this bandwidth by “swap- 
ping” large continuous chunks into the on-FPGA DRAM; the algorithm allows 
efficient scheduling). These I/O pins can also be used for communicating with 
neighbouring FPGAs at an aggregate bandwidth of 280Gbit/sec. 

The parameters given in Table El are normalized, such that one LE is consid- 
ered to occupy 1 area emit, and thus Af = 1. We make the crude assumption 
that each LE provides the equivalent of 20 logic transistors in our custom de- 
sign, so At = 0.05. Every FPGA chip is considered a “wafer” for the purpose of 
calculation, so A w = 51 840. Since DRAM is located outside the FGPA chips, 
Ay = 0 but Cd = 4 • 10 s , assuming $320 per gigabyte of DRAM. 7/ and T p are 
set according to available bandwidth. For Ti we assume that on average an LE 
switches at 700MHz. A p = 0, but we need to verify that the derived J\f p is at 
most 706 (fortunately this holds for all our parameter choices). 

As can be seen from the tables, the FPGA-based devices are significantly 
less efficient than both the custom designs and properly parallelized PC-based 
implementation. Thus they appear unattractive. 

B The Traditional Approach to the Matrix Step 

We give a rough estimate of the price and performance of a traditional imple- 
mentation of the matrix step using the block Lanczos method [131 running on 
standard PC hardware. Let the “small” and “large” matrices be as in 15. II 
B.l Processing the “Small” Matrix Using PCs. A bare-bones PC with a 
2GHz Pentium 4 CPU can be bought for $300, plus $320 per gigabyte of RAM. 
We will use block Lanczos with a blocking factor of 32, to match the processor 
word size. The hD = 4 • 10 9 nonzero entries of the “small” matrix require 13GB 
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of storage, and the auxiliary D-dimensional vectors require under 1GB. The 
construction cost is thus about $4,500. 

The bandwidth of the fastest PC memory is 4.2GB/sec. In each matrix-by- 
vector multiplication, all the nonzero matrix entries are read, and each of these 
causes an update (read and write) of a 32-bit word. Thus, a full multiplication 
consists of accessing hDlog 2 (D) + 2 hD ■ 32 = 4.8 • 10 10 bits, which takes about 
11 seconds. The effect of the memory latency on non-sequential access, typically 
40n, raises this to about 50 seconds (some reduction may be possible by op- 
timizing the memory access pattern to the specific DRAM modules used, but 
this appears nontrivial). Since 2D/32 matrix-by- vector multiplications have to 
be carried out H31, we arrive at a total of 1.25 • 10 s seconds (disregarding the 
cheaper inner products), i.e., about 4 years. 

The throughput cost is 5.6 • 10 11 , which is somewhat better than the sorting- 
based mesh design (despite the asymptotic advantage of the latter), but over 
5000 times worse than the the single- wafer improved mesh design (cf. 16. 51) . Par- 
allelization can be achieved by increasing the blocking factor of the Lanczos 
algorithm — this would allow for different tradeoffs between construction cost 
and running time, but would not decrease the throughput cost. 

B.2 Processing the “Large” Matrix Using PCs. The large matrix con- 
tains 250 times more columns at the same (assumed) average density. Thus, it 
requires 250 times more memory and 250 2 = 62 500 times more time than the 
small matrix. Moreover, all row indices now occupy [log 2 10 9 ] = 34 bits instead 
of just 24. The cost of memory needed to store the matrix is $1.36M (we ignore 
the lack of support for this amount of memory in existing memory controllers), 
and the running time is 270 000 years. This appears quite impractical (we cannot 
increase the blocking factor by over y/D, and even if we could, the construction 
cost would be billions of dollars). 

Remark B.3. Once attention is drawn to the cost of memory, it becomes 
evident that better schemes are available for parallelizing a PC-based imple- 
mentation. One simple scheme involves distributing the matrix columns among 
numerous PCs such that each node j is in charge of some set of columns 
Cj C {1, . . . , D}, and contains only these matrix entries (rather than the whole 
matrix). The nodes are networked together with a binary tree topology. Let a, 
denote the i-th column of A. Each matrix-by-vector multiplication Aw consists 
of the root node broadcasting the bits w\,...,wd down the tree, each node j 
computing a partial sum vector r i ~ HieCj,wi = l a,; (mod 2), and finally per- 
forming a converge-cast operation to produce the sum JA r j — Aw (mod 2) at 
the root. If the broadcast and converge-cast are done in a pipelined manner on 
0.5 gigabit links, this is easily seen to reduce the throughput cost to roughly 
5.6 • 10 10 for the small matrix and 4.8 • 10 16 for the large matrix (see Tables 131 II) . 

For constant-bandwidth links, this scheme is asymptotically inefficient since 
its throughput cost is L(3/3). However, for the parameters considered it is out- 
performed only by the custom-built improved mesh. 
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Abstract. The Cramer-Shoup cryptosystem for groups of prime order 
is a practical public-key cryptosystem, provably secure in the standard 
model under standard assumptions. This paper extends the cryptosys- 
tem for groups of unknown order, namely the group of quadratic residues 
modulo a composed N. Two security results are: In the standard model, 
the scheme is provably secure if both the Decisional Difhe-Hellman as- 
sumption for QR, V and the factorisation assumption for N hold. In the 
random oracle model, the scheme is provably secure under the factorisa- 
tion assumption by a quite efficient reduction. 

1 Introduction 

Security against chosen ciphertext attacks is essential for many cryptosystems. 
Naor and Yung m introduced this notion into the world of public-key cryptosys- 
tems and first described a scheme secure against non-adaptive chosen ciphertext 
(“lunchtime”) attacks. Today, most cryptographers agree that a “good” public- 
key cryptosystem should be secure against adaptive chosen ciphertead (ACC) 
attacksf] This notion has been introduced by Rackoff and Simon tni Dolev, 
Dwork and Naor 0 described a scheme provably secure against ACC attacks 
under standard assumptions. However, their scheme is too inefficient for practical 
applications. The research for provably secure and practically efficient cryptosys- 
tems has led to schemes provably secure in the random oracle model P, and to 
schemes provably secure under non-standard assumptions such as the “oracle 
Difhe-Hellman” assumption p. 

The Cramer-Shoup cryptosystem jS| is the only cryptosystem known to be 
both practical and provably secure under standard assumptions - mainly, the 
decisional Difhe-Hellman assumption in groups of prime order. Recently, the 
same authors proposed a generalisation of their cryptosystem [ZJ. Its security 
can be based either on Paillier’s decision composite residiosity assumption or on 
the (quite classical) quadratic residuosity (QR) assumption - or on the decisional 
Difhe-Hellman assumption in groups of prime order, as before. As pointed out in 
[3 , the QR-based variant of the generalisation is not too efficient in practice^ In 

1 Some authors denote lunchtime attacks by “IND-CCA1” and ACC attacks by “IND- 
CCA2”. 

2 A sample instantiation of the security parameters with N ~ 2 1024 in P implies the 
following: A public key needs 70 KB of storage space, and an encryption operation 
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this paper, we deal with another variation, based on the Diffie-Hellman problem 
in specific groups of non-prime order. 

Set N = PQ, P = 2p + 1, Q = 2q + 1, p ^ q, and let P, Q, p , and q be 
odd primes. In the remainder of this paper, we assume N to be of that form. 
Consider the group QR jV of the Quadratic Residues mod N and the Cramer- 
Shoup Cryptosystem in this group. (|5] originally proposed their cryptosystem 
for groups of prime order only.) As it will turn out, the legal user will not 
need to know the factorisation of N for either encryption, decryption or key 
generation (with the possible exception of generating an appropriate N itself). 
Since knowing the factorisation of N is equivalent to knowing the order of QRjv> 
the group QR, V may be of unknown order even for the legal user. 

A security result in the standard model provides assurance against all attacks, 
while a random oracle security result only provides assurance against so-called 
“generic” attacks. On the other hand, it is desirable to base the security of 
cryptosystems on weak assumptions, instead of strong ones. In this spirit, Shoup 
m proposed a “hedged” variant of the Cramer-Shoup cryptosystem, being both 
provably secure in the standard model under a strong assumption and provably 
secure in the random oracle model under a weak assumption. In Section Q we 
follow the same approach. Our extension is different from Shoup’s technique, 
and the proof for the security in the random oracle model given here is more 
efficient than its counterpart in m- 

2 Properties of the Set QR^ 

In this section, we recall some number-theoretic terminology and facts. Let G 
be a finite multiplicative group of the order \G\ >2. The order ord(a:) of x £ G 
is the smallest integer e > 0 such that x e = x°. G is cyclic , if a generator g for 
G exists, i.e., an element g £ G with ord(a;) = |Gj. Further, {1} and G itself are 
the two trivial subgroups of G, all other subgroups are nontrivial. 

Recall that N = PQ, where P = 2p + 1, Q = 2q + 1, p and q are primes 
(i.e., both p and q are Sophie-Germain primes). Consider the set QR jV = {x £ 
7 L* n | 3a £ 7 L* n : a? = x (mod N)} of Quadratic Residues modulo N. In the 
sequel, we use the following lemmas, which we prove in Section El of the appendix. 


Lemma 1. QR N has a nontrivial subgroup of order p and a nontrivial subgroup 
of order q. Both subgroups are cyclic. 

Lemma 2. QR N is cyclic. R consists of one element of the order 1, (p — 1) 
elements of the order p, (q — 1) elements of the order q, and (p — 1)(<7 — 1) 
elements of the order pq. 

Lemma 3. For every x £ QR N : ord(x) £ {p, q} =k gcd(x — 1, N) £ { P , Q}. 


needs about 600 exponentiations modulo N. Note that the other variants are much 
more efficient. 


A Variant of the Cramer-Shoup Cryptosystem for Groups of Unknown Order 


29 


Lemma 4. Let g be a generator for QR N . For every x £ ZZ pq : ord(g x ) £ 
{p,q} gcd(x,pq) £ {p,q}. 

Computations in QR, V are computations modulo N. If it is implied by context, 
we omit writing explicitly “mod TV” for calculations mod N. If S' is a finite 
set, we write v e R S if the value v is chosen from the set S according to the 
uniform probability distribution. We write x £ R 7L pq for randomly choosing x 
in 7L pq according to a distribution statistically indistinguishable from uniform. 
Consider, e.g., x e R 7Ly N / 4 j . Since [_iV/4j < pq + p/2 + q/2 + 1/4, x £ 7L pq is 
overwhelmingly probable: Pr[a: £ 7L pq \ > 1 - > min{l — ~ , 1 — i}. 

3 Key Encapsulation Mechanisms 

A key encapsulation mechanism (KEM) can be seen as the secret-key part of a hy- 
brid cryptosystem. Combining a KEM with an appropriate secret-key cryptosys- 
tem provides the functionality of a public-key cryptosystem. If the secret-key 
cryptosystem satisfies some fairly standard security assumptions and the KEM 
is secure against ACC attacks, the public-key cryptosystem is secure against 
ACC attacks as well. (This is called a “folk theorem” in |]3J. See also 0.) A 
KEM is a triple (Gen, KE, KD) of algorithms: 

1. A key pair generation algorithm Gen, which, given a security parameter, 
randomly chooses a public-key /secret-key pair (PK,SK). 

2. A randomised key encapsulation algorithm KE to choose (C, K)=KE(PK), 

i.e. a ciphertext C and an encapsulated key K. 

3. A deterministic key decapsulation algorithm KD to compute A' , =KD(SK,(7), 
and to reject invalid ciphertexts. 

A KEM is sound, if K = K' for any (PK,SK)=Gen(-), (C, AT)=KE(PK), and 
A , =KD(SK,G). The KEM presented in Section Eland its extension in Section 0 
are both sound. Proving this is easy, but omitted here for the sake of space. 

An ACC attack against a KEM (Gen, KE, KD) can be described by the 
following game: 

1. A key generation oracle computes (PK,SK)=Gen(-) and publishes PK. 

2. A key encapsulation oracle chooses ( C , A")=KE(PK) and a G R {0, 1}. If a = 
0, the oracle sends (C, K) to the adversary, else (C, K') with K' e R {0, 1} AL 

3. The adversary makes some queries C\, . . . , C q to a key decapsulation oracle, 
with Ci C. For each query C. t , the oracle responds the value KD(SK,C)), 
which may be either a bit string, or a special code to indicate rejection. For 
i £ (1 ..... f/ — 1} , the adversary learns the response KD(SK,6)) before she 
has to choose the next query C\ + i. 

4. The adversary outputs a value a’ £ {0, 1}. 

The adversary’s advantage in guessing o is the difference 
Iprfo-' = 1| a = 1] — pr[cr' = l|cr = 0] | 
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of conditional probabilities. A KEM is secure against ACC attacks, or ACC- 
secure if, for all efficient adversaries, the advantage is negligible. 

In Section of the appendix, we compare ACC-secure KEMs with ACC- 
secure public-key cryptosystems and introduce lunchtime-security. 


4 The Cryptosystem and Some Assumptions 

Here, we deal with the Cramer-Shoup cryptosystem and what assumptions we 
make to prove its security. Cramer and Shoup 0 considered groups G of (known) 
prime order q * , while we consider the group QRjy of composed order pq. There 
is no need to actually know pq, not even for the owner of the secret key. (Note 
that knowing pq makes factorising N easy.) For the sake of simplicity, we restrict 
ourselves to describing the system as a key encapsulation mechanism, instead of 
a full scale public-key cryptosystem. 


Cramer-Shoup Cryptosystem in the Group QR W : 

- Key Generation Gen(f): 

• Generate N, P, Q, p, q as above with 2 l ~ 1 < N <2 l . 

Choose a generator g for QR jV . 

• Choose a hash function H : {0, 1}* — > TL m (with m < pq). 

• Randomly choose w e R TL vq , and compute g 2 = g w . Choose x\, x 2 , yi, 
y 2 , z e R 7L vq . Compute c = g Xl g 2 2 , d = g yi g 2 2 , and e = g z . 

• The public key is PK=(N, g, H, g 2 , c, d, e). 

The secret key is SK=(x 1 ,x 2 ,y 1 ,y 2 , z) in 7L h pq . 

- Key Encapsulation KE(PK): 

• Choose r e R 7L pq , compute u\ = g r , u 2 = g%, k = e r , a = H{u\,u 2 ) and 
t = c r d ra . 

• The ciphertext is (ui,u 2 ,t), the encapsulated key is k. 

- Key Decapsulation KD(SK,(t/i,f7 2 ,T)) for (C/i,C/ 2 ,T) e QR 2 V X 7L* N : 

• Compute K' = Uf, A' = H(U U U 2 ), T' = u Xl+mA ' U% 2+V2A ' . 

• If T = T' then output K' , else reject. 

Both in a group G of prime order and in composed order groups (such as QR jV 
and 7L* n ), expressions such as g a *g b and ( g a ) b are equivalent to g a+b and g ab . For 
prime order groups “a + b” and “ab” are addition and multiplication in a field, 
but for general groups G these operations are defined in the ring 7 L\g\ ■ Thus, the 
proof of security from 0 is not directly applicable to the cryptosystem proposed 
in the current paper, though our proof is along the same lines. 

3 We don’t care if T 0 QR jV , because T' £ QR jV . and the test “T = T'” is supposed 
to fail if T 0 QR iV . Remark El describes how to enforce Ui,U 2 € QR V . 
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Assumption: (Target collision resistance of H) 

Let Fh be a family of hash functions { 0 , 1 }* — t 2 Z rn , for m < pq. Consider the 
following experiment: 

1 . Fix an input T for H (the “target”). 

2 . Randomly choose H from the family Fa- 
it is infeasible to find a “collision” for the target T, i.e., an input T' ^ T such 
that H(T) = H(T'). 

As a minor abuse of notation, we write “H is target collision resistant” (“TC- 
resistant”) to indicate that H has been chosen from such a family Fa- 


Assumption: (decisional Diffie-Hellman (DDH) assumption for QR ¥ ) 

Let a generator g for QR N be given. Consider the distributions R of triples 
( g2,ui,U2 ) e R QR% and D of triples (g2,u-i , u 2 ) with <?2 e R QR N , r e R Z pq , 
u\ = g r , and u% = g/- It is infeasible to distinguish between R and D. 0 


Assumption: (computational Diffie-Hellman (CDH) assumption for QR N ) 

Let a generator g for QR N be given. Given two values g-2 6 R QIC- and u\ e R 
QR n with log 9 ('«i) = r, it is infeasible to find the value U2 = <?£•□ 


Assumption: (factoring assumption for N ) 

Given N, it its infeasible to find P or Q. 

Theorem 1 (Factoring assumption => CDH assumption). 

If the factoring N is infeasible, the CDH assumption for QR N holds. 

The proof is in Section Q of the appendix. 

5 Some Technicalities 

Lemma 5 . Let g be a generator of QR N and w 6 R 7 Z vq . The value g^ = g w is a 
uniformly distributed random value in QR N . With overwhelming probability, 52 
is a generator for QR N . 

Proof. Clearly, g 2 is uniformly distributed. By Lemma 0 , 52 is a generator for 
QRjv w £ Ttfp q - Hence, pr[g 2 is a generator for QR iV ] = (p — 1) (q — 1) /pq. □ 


Lemma 6. If it is feasible to find any pair (a, ff) £ with {a — pi) £ ffl pq — 
ffipq — { 0 }, it is feasible to factorise N. 

4 An alternative view would be to consider two distributions D4 and R4 of quadruples 
( g,g2,Ui,U2 )- The distribution of gr is the same for D 4 and R4 , and gr is a generator. 
Apart from that, we don’t specify how g is actually chosen. The values g i 2, in and 
U2 are either chosen according to D. or according to R. 

5 Since g £ QR jV is a generator, log 9 (a;) is uniquely defined for x £ QR jV . 
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Proof. Let g be a generator for QR jV - If (a — (3) £ 7L pq — 7L* pq — {0}, then 
ord {g a ~P) £ {p, q} and thus, we can compute gcd (p a_/3 — 1, N) £ {P, Q}. □ 

Lemma 7. Let g be a generator for QR N and g 2 6 R QR N . If it is feasible to 
choose ui,U 2 such that u\ = g ri , U 2 = g 2 2 , and (r 2 — ri) £ 2Z pq — TZfp q — {0}, it 
is feasible to factorise N. 

Proof Choose <72 as suggested in Lemma 0 w £ R TL vq \ g 2 = g w . Since (r2 — ri) £ 
7L pq — 7L* pq — {0}, ord(<7 r2_ri ) £ {p. q}. Similarly, ovd{g!f > ~ rx ) 6 {p,q}, and thus 
gcd(s , 2 2_ri ) IV) £ {P,Q}. Due to g£ 2_ri = gf 2 1 g'f = u 'i l u i > and since we know 
w, we actually can compute g 2 2 ~ ri and thus factorise N . □ 

Now we describe a simulator for the Cramer-Shoup cryptosystem. Its purpose is 
not to be actually used for key encapsulation and decapsulation, but as a tech- 
nical tool for the proof of security. If an adversary mounts an attack against the 
Cramer-Shoup cryptosystem, the simulator may provide the responses, instead 
of an “honest” Cramer-Shoup oracle. Note that the adversary can make many 
key decapsulation queries, but only one single key encapsulation query. 


A Simulator for the Cramer-Shoup Cryptosystem in QRjy 

- Generate the public key: 

• Let the values g, N and H and a triple (<72, «:i , v. 2 ) £ QR^ be given. 

• Choose xi,X 2 ,yi,y 2 ,zi,Z 2 G R ^ Pq - Compute c = g xi g% 2 , d = g Vi gf 2 , 
and e = g Zl g z 2 2 . □ The public key is PK=(JV, g, H, g 2 , c, d, e). 

- Key Encapsulation KE(PK): 

• Compute k = u^u^ 2 , a = H(ui,u 2 ), t = u* 1+2/1 “u2 2+2/2 “. 

• The ciphertext is (ui . u 2 , t), the encapsulated key is k. 

- Key Decapsulation KD(SK,(£7i, C/ 2 , T)): 

• Compute K' = Df Df 2 , A' = H(U 1 ,U 2 ), T' = uf 1+mA ' U 2 2+V2A ' . 

• If T = T' then output K' , else reject. 

6 A Proof of Security in the Standard Model 

In this section, we prove the security of the Cramer-Shoup Cryptosystem in 
QRjv in the standard model. The proof is based on three lemmas. 

Theorem 2 (Security in the standard model). 

If H is TC-resistant and both the DDH assumption for QR N and the factoring 
assumption for N hold, the Cramer-Shoup cryptosystem in QR N is ACC-secure. 

Lemma 8. If the triple (52, U\,U 2 ) given to the simulator is distributed accord- 
ing to distribution D, an adversary cannot statistically distinguish between the 
behavior of the simulator and the Cramer-Shoup cryptosystem itself. 

6 In contrast to the simulator, the cryptosystem itself implicitly defines 22 = 0. 
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Proof. If ( g2,ui,U2 ) is distributed according to D, a value r exists such that 
u\ = g r and u 2 = g-f We show that the simulator’s responses are statistically 
indistinguishable from the real cryptosystem’s responses. 

Consider the key encapsulation query. The simulator computes 

k = ufuf = g rzi g 2 Z 2 = (g Zl 92 2 ) r = er \ 

a = H(ui, uf) and 

t = ul 1+Via U 2 2+V2a = = g ™i g™2 g r Vl a g ry 2 a _ Q r ( gr a 

The distribution of the response ((<72, u\, U2), k) is identical to the distribution 
of the cryptosystem’s response. 

Now consider the key decapsulation queries. If a query {U\, U 2 , T) is valid, i.e., 
if a value R £ 7 L pq exists with U\ = g R and U2 = g 2 , the simulator’s response is 
the same as the response the cryptosystem provides. Both the simulator and the 
cryptosystem reject ( Ui,U 2 > T ) if T ^ T' = Uf 1+VlA Uf' 2+V2A , and else output 
K' = U^U.f 2 = (g R ) Zl (g 2 ) Z2 — {g Zl 92 2 ) R = e R . It remains to show that both 
the cryptosystem and the simulator (given ( <7 2 ,ui,tt 2 ) distributed according to 
D ) reject all invalid key decapsulation queries with overwhelming probability - 
and thus essentially behave identically. 

The decision to reject an invalid ciphertext (17i, C/ 2 ,T) depends on four ran- 
dom values xi, X2 , yi ■ y 2 G 7 L pq . A part of the public key are the values c and d 
with c = g Xl g % 2 = g Xl g wx 2 and d = g Vl g y2 = g Vl g wy 2 , he., 

l c := log ff (c) = Xi + WX2 <=$■ X\ = l c — wx 2 and (1) 

k ■= log s (d) = yi + wy 2 . yi=ld~wy 2 (2) 

These equation^ provide public information about the quadruple (aq . X2, yi , 2/2 ) 
of secret values. The response to the encapsulation query provides another equa- 
tion log s (t) = rx\ + ry\a + rwx 2 + rwy 2 a, however log fl (t) = rl c + rlaot, i.e., 
this new equation linearly depends on Equations 0 and 0 and thus provides no 
new information about (aq, X2, yi, t/ 2 ). This still leaves (pc/) 2 possibilities for the 
quadruple (xi , a: 2 , tq , y 2 ) . 

Assume c/ 2 to be a generator for QR, V . (By LemmaOl this is overwhelmingly 
probable.) Let the ciphertext (U\, U 2 ,T) be invalid. Thus, R\ 7^ R 2 exist with 
U\ = g Rl and ?7 2 = g R2 . To answer the query, the values K' = U Zl Uf 2 (or K' = 
Uf), A! = H(U u U 2 ), and V = i/^ +VlA ' U^ +V2A ' = gHx*x+RxvxA’ gR***+R*y*A' 
are computed, which provides the equation 

It> ■= log g (T') = R x xi + RiyiA' + wR 2 x 2 + wR 2 y2A' . (3) 

Equations [D and 0 can be used to eliminate the variables aq and y -\ : 

It ' = Rih ~ Riwx 2 + R\ldA! - Riwy 2 A' + wR 2 x 2 + wR 2 y 2 A' 

= R^ + RildA 1 + wx 2 (R2 - Ri) + wy 2 A!(R 2 - R{) 


It is vital that l c and Id are uniquely defined. We need not actually compute l c or Id- 
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By Lemma 0 and Lemma Q we know that with overwhelming probability and 
under the factoring assumption both w and (R 2 — -Ri) are invertible mod pq. 
If these two values are invertible, we may fix the value y 2 arbitrarily and there 
always exists a uniquely defined value 

It 1 — Rile — RiAUd — wy 2 A! (R 2 — Ri) 

X2= w(R 2 - R^ 

to prevent the rejection of the invalid ciphertext (U \ , U 2 ,T). Each time an invalid 
ciphertext is rejected, this eliminates at most pq of the (pq) 2 possible quadruples 
(xi,x 2 ,yi,y 2 ). □ 

Lemma 9. If the triple (g 2 . u\ . u 2 ) £ QR% given to the simulator is distributed 
according to distribution R, the simulator rejects all invalid ciphertexts with over- 
whelming probability. 

Proof. Recall that the rejection of an invalid ciphertext (U-\ .U 2 ,T) depends on 
the quadruple (xi,x 2 ,yi,y 2 ) £ QR iV of secret values, and that the public key 
provides the two linear Equations [0 and 0 to narrow down the number of pos- 
sibilities for (xi,x 2 ,yi,y 2 ) to (pq) 2 . The response to the encapsulation query 
provides the value t = vf 1+ma vff^' 1 ' 20 and thus a linear equation 

l t := log g (t) = rixi + riyia + wr 2 x 2 + wr 2 y 2 a. (4) 

By using Equations 0] and 0 we can eliminate the variables X\ and y\. 

h = ril c - riwx 2 + rilda — riwx 2 a + wr 2 x 2 + wr 2 y 2 a 
= ril c + ri^a + wx 2 (r 2 - ri) + wy 2 a(r 2 - ri) 

y _ h ~ rile - rild - wx 2 (r 2 - n) 

An invahd ciphertext (Ui, U 2 ,T) is rejected, except when Equation 0 holds, 
which means T' = T. Recall a = H(ui,u 2 ) and A' = H(IJ \ , U 2 ) and consider 
three cases: 

— Case 1, (Ui,U 2 ) = (ui,u 2 ): By the definition of an ACC attack, we require 
t -f T, and thus the key decapsulation query (Ui,U 2 ,T) will be rejected. 

— Case 2 , (Ui, U 2 ) (ui,u 2 ) and a = A!\ This is a collision for H for the tar- 

get (ui,u 2 ), which contradicts the assumption for H to be TC-resistant. 

— Case 3 : (Ui, U 2 ) (ui,u 2 ) and a ^ A': We have four unknowns x-[ , x 2 . yi,y 2 

S QRjv) and four Equations [Q 121 01 and 0 describe their relationship. By 
solving this system of linear equations we get 

l T > ~ ril c - lt ~ r l l ;i r r f lda (R 2 - Ri) - A'Ril d 
V2 ~ (R 2 - Ri)w(A' - a) 

which uniquely determines y 2 if all the four values (r 2 — ri), (R 2 — Ri), 
w, and (A' — a) are invertible in 7L vq 0 The invertibility of (r 2 — ri) and 


This implies that the four linear equations 000 and 0 are linearly independent. 
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(i?2 — Ri) follows from Lemma 0 the invertibility of w follows from Lemma 
0 and the invertibility of ( A ' — a) follows from Lemma 0 □ 

Lemma 10. Let k be the encapsulated key in the response for the encapsulation 
query. If the triple (r/2- uj , u%) € QR% given to the simulator is distributed ac- 
cording to distribution R, it is infeasible for the adversary to distinguish between 
k and a uniformly distributed random value. 

Proof. We set n = log g (ui) and r 2 = log 92 (112). Assume that g? = g w is a 
generator for QR N and that n ^ r 2. Both assumptions hold with overwhelming 
probability. Now we prove: If all invalid decapsulation queries are rejected dur- 
ing the simulation, then under the factoring assumption it is infeasible for the 
adversary to distinguish between k and a random value. 

Observe that k only depends on the two random values zi,Z2 G QR jV . Since 
e = g Zl gf 2 , the public key provides one linear equation 

l e := log ff (e) = zi + wz 2 <=>■ z\ = l e - wz 2 - ( 5 ) 

The rejection of an invalid key decapsulation query does not depend on z\ and 
Z2- If the decapsulation query (C/j .U^.T) is valid and not rejected, we have a 
value R such that U\ = g R and U2 = g R - By log g (fc) = Rz\ + R.uiz-2 = R\og g (e) 
this provides another equation, linearly depending on Equation 0 The response 
for the key encapsulation query consists of a ciphertext (ui,U2,t) and a key 
k = uf 1 u Z rf = g riZi g rar 2 22, which provides a linear equation 

Ik ■= log g (k) = r\Z\+wr2Z2 = r\l e —r\wz2 + r2WZ2 = r\l e + wz2{r2 — ?t), ( 6 ) 

which finally gives 

= h ~ ril e 
2 w(r 2 -ri)' 

As before, we argue that with overwhelming probability and under the factoring 
assumption both w and (?"2 — ri) are invertible in 7L pq . If w and (r2 — ri) axe 
invertible, then a unique value z-2 exists for every key k £ QR A -- □ 

Proof ( Theorem If the adversary can break the cryptosystem by distinguish- 
ing a real encapsulated key from a random one, she can do so as well in the 
simulation, if the simulator input is chosen according to distribution D (Lemma 
0 . Since she cannot distinguish a real key from a random key in the simulation 
if the simulator input is distributed according to R (Lemmas El and II I H , being 
able to break the cryptosystem means being able to distinguish distribution D 
from distribution R, contradicting the DDH assumption for QR iV . □ 


Remark 1 (Strengthening Theorem 0 by avoiding the factoring assumption). 

If H is TC-resistant and the DDH assumption for QR jV holds, the Cramer-Shoup 
Cryptosystem in QR, V is ACC-secure. 
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To verify this, assume that the adversary somehow learns the factors P and Q 
of N. Then the DDH-problem for QRy is hard if and only if both the DDH 
problem for QR P and the DDH problem for QRq are hard. But given P and Q 
and an oracle to mount an ACC-attack against the Cramer-Shoup Cryptosystem 
for QRjv, we can use this oracle to solve the DDH problem for either QR P or 
QRq. In this case, the DDH problem for QR jV is feasible. 

7 An Extension and Its Security 

We describe how to extend the Cramer-Shoup cryptosystem, dealing with a hash 
function h, which may be used like a random oracle (— > Figure [Q: 


t k 



Fig. 1. The h-extension: converting t and k into /,* and fc*. 


7.1 The Extended Scheme and Its Abstract Security 
Cramer-Shoup Cryptosystem in QP N with h-Extension: 

— The key pair (PK, SK) is the same as for the non-extended Cramer-Shoup 
cryptosystem. Let h be a function h : {1, 2, 3} x QR' A r — > QR N . 

— Extend key encapsulation by computing 

f* = t * h(l, k, «i, U 2 ) (— t solid arrows in Figure E) and 
t = t * h( 2 , k , Mi, M 2 ) and k* = k* h{ 3, r, mi, M 2 ) (— > dashed arrows). 

The ciphertext is (u-[ . M 2 , f„), the encapsulated key is k. t . 

— Decapsulate the ciphertext (U\, U' 2 ,T*) G QR. A r x 7L* N by computing K', 
T' as before, and reject if T' * h(l, K' , Ui, C/ 2 ) ^ T*. Else compute t' = 
V * h{ 2, K', U 1 , U 2 ) and output K' t = K' * h( 3, r', U u U 2 ). 


Theorem 3 (Security of h-extended scheme in standard model). 

Let h be any efficient function h : {1,2,3} x QR 3 N — > QR N . If H is TC-resistant 
and both the DDH assumption for QR N and the factoring assumption for N 
hold, the Cramer-Shoup cryptosystem in QR N is ACC-secure. 
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Proof. Observe that the simulator described in Section 0 computes the values k 
and t when dealing with an encapsulation query. Also, being asked to decapsulate 
the ciphertext (U’i s L/ 2 ,T), the same simulator computes the values K' and T' 
from U\ and U 2 . Thus, it is straightforward to apply the /i-extension to the 
simulator. Since h is efficient, the extended simulator is efficient, too. 

Using the extended simulator instead of the original one, the proof for The- 
orem 0 is applicable to Theorem 0 □ 

Theorem 4 (Security of //-extended scheme in random oracle model). 

If the function h is modeled as a random oracle, the h-extended scheme is ACC- 
secure under the factoring assumption. 

Proof. Let N and H be given. Consider an adversary with a non-negligible 
advantage to win the attack game. In the following experiment, we modify the 
key generation and we describe how to respond to the adversary’s oracle queries, 
including queries to the random oracle. We start with the key generation: 

- Choose (3 £ R {1, . . . , [JV/4J — 1}, a £ R 7L* N and compute e := a 1 2 3 . 

- Choose ui £ R QR/v and compute g := . (We will search for k = e las n^ Ul \ 

i.e., for the value k with k 2 @ = e. If we find k, we have a 50 % chance that 
gcd(/c ' 9 — a,N) £ (P, Q} holds, providing us with the factorisation of N.) 

- Choose w £ R 7L pq and compute g-2 = g w and U2 = uf. 

- Choose xi,X2,yi,V2 £ R 7L pq and compute c = g Xl Q2 2 and d = g yi gf 2 . 

- Use ( N , g, H, g 2 , c, d, e ) as the public key. 

The response to the key encapsulation query is the ciphertext (wi,u 2 ,f*) and 
the encapsulated key k* with t t , fc* e R QR iV - 

Let (Ui, U 2 ., T*) be a key decapsulation query. We respond as follows: 

- Compute T = uf x+VlA ' U X2+mA ' . 

- Consider values K' with queries for = h(l. K' . U\. U2) to the random 
oracle. Verify, if for one such value K' the equation 

{K') 2 ? = U X (7) 

holds. If not, or if T* 7 ^ T' * Si, then reject. 

- Else ask the random oracle for 62 = h( 2, K' , Uj , f/ 2 ), compute r = T' * 82, 
ask for 83 = h(3, t. Ui, U2), and respond If' = K' * 83 to the adversary. 

A random oracle query to compute h(I,X,U\,U 2 ) (with I £ {1,2,3} and X, 
U\, U2 £ QRjv) m ay be asked either by the adversary, or by ourselves when 
answering a key decapsulation query. The answer is computed as follows: 

1. If we have been asked for h(I,X, U\, U2) before, repeat the same answer. 

2. Else, if 7 £ {1, 2}, m = U\, u 2 = U 2 , and X 2f} = e, print X and abort. 

3. Else choose Y £ R QR A r and respond Y. 
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Observe that if we never abort (— ► Step 0) , the adversary cannot distinguish h 
from a random function over the same domain. On the other hand, assume that 
we abort the experiment, having found a value X with X s & = e, i.e., a square 
root (mod N ) of e. Initially, we know two square roots of e, namely ±a. Since 
the adversary has no information about a, except for e = a 2 , X 13 ^ ±a holds 
with probability 1/2. In this case, we can factorise N by computing gcd(X 3 — 
a, N ) e {P, Q}. This shows: If n is the probability to abort the experiment, we 
can factorise N with the probability 7r/2 after running the experiment once. 
Now, we deal with three different games: 

1. The attack game with the “real” encapsulated key k*. 

2. the attack game where fc* is replaced by a random value, and 

3. the experiment we defined for the current proof. 

As it turns out, the adversary cannot distinguish the experiment from either 
of the attack games, except when we abort the experiment: 

— The public key values g, g%, c, d, and e are independent uniformly distributed 
random values in QR N - in the attack games, as in the experiment. 

— In the attack games, the values u\ and u? from the encapsulation query 

satisfy the equation U2 = with u\ 6 R QR A -. For one of the attack 

games, the values f* and A;* depend on t and k (and h), while for the other 
one, t* depends on t and k, while is chosen at random. 

In the experiment, u\ 6 R QR A - and us = g ^ 9 < ‘ Ul as well. The value f* 
cannot be distinguished from a uniformly distributed random value without 
asking for h{l,k,u\,uf) (and then aborting). The value fc* cannot be dis- 
tinguished without asking for /i(3, r, m, uf). Asking this query is infeasible 
without having asked for 5-2 = h(2, k. U \ , uf) (followed by an abortion), since 
r depends on 62- 

— Consider a decapsulation query (U\, tfy, T*). Let K 1 be defined by Equa- 
tion 0 If h is a well-defined function, there is a unique well defined value 
T' such that a ciphertext (Pi , bfy T() has to be accepted, and every ci- 
phertext (Pi, P>, T*) with T* Tl has to be rejected. Without asking 
for h(l, K\ Pi, P 2 ), the adversary cannot predict T[, and any ciphertext 
(Pi, P 2 , T*) chosen by the adversary is rejected with overwhelming probabil- 
ity in the attack games and with probability 1 in the experiment. 

If the adversary had asked for ft(l, K', Pi, P 2 ), the computation of T’ t and 
AT' is exactly the same in the experiment as in the attack games. □ 

7.2 The Concrete Security of the Extended Scheme 

Note that the reduction in the proof of Theorem 0is very efficient. We quantify 
this by describing the concrete security against a generic adversary, i.e., against 
an adversary who treats the hash function h like a random oracle. 

Theorem 5 (Concrete security of /(-extended scheme in r. o. model). 

Let A be a generic ACC adversary, allowed to ask one key encapsulation query, 
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9 kd key decapsulation queries, and q% + q 2 + 93 random oracle queries, namely 
qi random oracle queries of the form h(i , . . .). Assume A takes the running time 
T4 and achieves the advantage a a when distinguishing between the attack game 
with the “real” and the attack game with a random encapsulated key. 

Then an algorithm T exists to find the factors P and Q of N with at least the 
probability a a/2 — (53 + 2<7kd)/P9- The expected running time for T is at most 
T4 + Tg, with Tg being linear in the total number qz = (1 + 9 kd + qi + qi + 93) 
of oracle queries. More specifically, Tg is the time for doing 7 + 3qkd + 9i + 92 
exponentiations mod N and 0(qz) other operations. 

Proof. The proof of Theorem 0 already describes what we call algorithm T, 
here: Run the key generation and then invoke the distinguishing adversary A, 
providing all responses to A’s oracle queries. To prove Theorem El we concretely 
analyse running time and probability of success of this algorithm. 

Running time: 

During key generation, we compute seven values by exponentiation mod N: 
iq' 3 , g w ,uf, g Xl , g% 2 , g Xl , g;f . When responding to the key encapsulation query, 
no exponentiations are necessary. Responding to a random oracle query h( 1, . . .) 
or h( 2, . . .) may require to compute V 2 ' 3 . Queries h{ 3, . . .) can be answered 
without computing any exponentiations. 

Key decapsulation queries are slightly more complicated and may need up to 
three exponentiations. Two are needed to to compute V . The values (A'') 2 ' 3 have 
already been computed when dealing with a random oracle query h( 1, . . .) and 
may have been stored in a table. But responding to a key decapsulation query 
may require to make two additional calls h( 2, . . .) and h( 3, . . .) to the random 
oracle, and calling h( 2, . . .) may require another (third) exponentiation. 

Thus the total number of exponentiations mod N is at most 

3qkd + 91 + 92 + 7. 

Similarly, we can count the total number of other operations, which is no more 
than linear in qz, as well. 

Note that the random oracle may have to respond to at most 91 queries h( 1, . . .), 
but to at most 9 kd + 92 queries h( 2, . . .) and 9 kd + 93 queries h( 3, . . .). The 
reason is, that computing the answer to a decapsulation query may include two 
additional random oracle queries h( 2, . . .) and h( 3, . . .). 

Probability: 

A cannot distinguish between the two attack games without asking for 
h{3,r,u\,u 2 ), where r = h{2,k,u\,u 2 ) * t. If A ever asks for h{2,k,u\,u 2 ), 
the simulator aborts and T will factorise N with a 50 % probability of success. 
Else, A has no (Shannon-) information about r. In this case, and since at most 
93 + 9 kd queries of the form h( 3, . . .) are to be answered, the probability that 
any of these is of the form h(3,T,Ui,u 2 ) is at most (93 + 9kd)/P9- 

When might the adversary be able to distinguish either of the attack games 
from the experiment we define in the proof of Theorem^, i.e., from the behavior 
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of algorithm jFi The experiment behaves exactly like any of the attack games, 
with the following two exceptions: 

1. A asks for h(I,X,Ui,U 2 ) with I e {1,2} and X 2/3 = e. In this case, the 
experiment is aborted (and T has a 50% chance of factorising N). 

2. A asks for the decapsulation of a ciphertext (U \ , f/ 2 , T*), without having 
asked for h{ 1, K ' , U \ , Uf) before (K’ is defined in Equation 0). In this case, 
T always rejects, while the attack games reject with the probability 1 /pq. 

Since A can ask for the decapsulation of ?kd ciphertext, the entire probability 
that any random ciphertext is not rejected in an attack game is < (/kd /'PQ- 
Even if A could always distinguish the “real” encapsulated key from a random 
value when asking for h(3, r, u\, U 2 ) without asking for h(2, k. ui , uf) before, 
or when a random ciphertext (I/i in a key decapsulation query is not 

rejected, the probability for T to factorise N would not be less than 

a-A _ 93 + gKD _ Qkd 
2 pq pq' 

□ 


Remark 2 (Practical consequences of Theorem 0). 

Theorem 0 cormts modular exponentiations and mentions “other operations” . 
These are simpler arithmetic operations (e.g. multiplication mod N), choosing 
random values (e R QR N , G R 7Z* N , and G R 7L vq ), and hash table look-up and 
update operations. In practice, none of these operations should be slower than 
an exponentiation mod N. Thus, the running time for algorithm T is Tj^+0{q s * 
Tv), where Tjv is the time for computing an exponentiation mod N . 

For any reasonable choice of N, the probability that F actually factorises N is 
extremely close to 04 / 2 . 

7.3 Comparison to Shoup’s Technique 

The approach in this section has been inspired by Shoup [SI, who also described 
a “hedged” variant of the Cramer-Shoup Scheme, being both 

— provably secure in the standard model under a “strong” assumption and 

— provably secure in the random oracle model under a “weak” assumption. 

In |E3, the “strong” assumption is the DDH assumption for a group G of prime 
order. The “weak” assumption is the CDH assumption for G. As was stressed in 
0 (see also d Remark 4]), the reduction in the random oracle model is quite 
inefficient, since it is relative to a DDH oracle: 

— Let the DDH assumption for G be false. I.e., a polynomial-time algorithm 
A\ with a significant DDH advantage exists. By standard amplification tech- 
niques (calling A\ polynomially often), we get A 2 , which achieves an over- 
whelming DDH advantage. Note that the DDH-oracle A 2 is “efficient” in the 
sense of Complexity Theory, but may be quite inefficient in practice. 
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Assume an efficient generic ACC adversary A exists to break the hedged 
Cramer-Shoup variant P| . The reduction in 0 describes how to use the 
adversary A as a tool to break the CDH assumption for G. The reduction 
requires to call A 2 each time when A asks a new random oracle query. 

- Consider a hypothetical example (using viciously chosen numbers): 

Let, for some choice of G, A x run in 2 30 computer clocks. Thus, A\ could 
qualify as “practically efficient”. If A 2 executes A x 2 30 times, A 2 could 
he considered “hard, but feasible” on a massively parallel computer. Now 
consider an efficient generic ACC adversary A making 2 30 random oracle 
queries. The reduction provides an algorithm to solve the CDH problem for 
G, but this algorithm would require more than 2 90 units of time. 

Thus, an efficient generic ACC attack against the scheme does not necessarily 
reduce to a practical solution for the CDH problem for G. 

As explained above, the reduction in the current paper is quite efficient, using 
linearly many moderately simple operations (such as exponentiations mod N), 
but no potentially complex operation (such as the DDH oracle in jl 3 . ) . 

Also note that we do not assume the hash function H to be TC-resistant, for 
Theorem 0 in contrast to 0 Theorem 3]. 

On the other hand, the random oracle security in the current paper is based 
on the factoring assumption, not on the CDH assumption. This may be seen as 
a disadvantage. By generalising the technique from 0 for QRy, we might be 
able to use the CDH assumption for QR A - instead, which is at least as strong as 
the factoring assumption for N, see Theorem [D 

A rather technical difference to our approach is that |E] introduces the notion 
of a pair-wise independent hash function (PIH) and combines a PIH with a 
random oracle. The PIH is required for the security result in the standard model 
(i.e., for the counterpart of Theorem 0 in the current paper). 

8 Final Remarks and Discussion 

Remark 3 (The input for KD). 

Note that the input (Ui,U 2 ,T*) £ QR^r X 7L* N is under control of the adversary. 
If a; is a number, it is easy to verify whether x £ but it may be difficult to 
verify x £ QR iV . We can deal with this problem by using KE’ and KD’ instead 
of KE and KD: 

- KE’: Compute KE and replace k by k 2 and t by t 2 . 

- KD’(SK,(f7i, U%,T)) for (U X ,U 2 ,T) £ {7L* N f: Compute KD(SK,(f7 1 2 , Of, T)). 

Note that (Gen,KE’,KD’) is as sound as (Gen,KE,KD). But for (U X ,U 2 ,T) £ 
( 7L * n ) 3 , the input for KD is now in QR^ x 7L* N , as it should. A similar technique 
can be used for the /i-extension. 


Remark 4 (The hash function H ). 

Theoretically we don’t need an additional assumption for the TC-resistance of 
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H. Based on the factoring assumption, provably secure TC-resistant (and even 
stronger) hash functions are known. In practice, we may prefer to use a dedicated 
hash function such as SHA-1 or RIPE-MD 160. 

Recall that we deal with a cryptosystem which has computations in QR lV , 
but nobody knows (or needs to know) the order of QR A - ■ (Note that knowing 
the order of QR N is equivalent to knowing the factors of N.) 

This may be interesting for the construction of advanced cryptographic pro- 
tocols, where some party knows the factorisation of N in addition to the secret 
key, while another party only knows the secret key itself. E.g., consider a variant 
of our scheme, where the factors of N (possibly more than just two, in contrast 
to the current paper) are small enough that computing the discrete log mod- 
ulo any of the factors is feasible. Everyone knowing the factorisation of N can 
thus compute discrete logarithms mod N, and the factorisation of N may serve 
as a “master key”: Knowing it allows to compute the secret key from a given 
public key defined over the group QR N . This approach is roughly related to key 
insulation |HJ, where “ordinary” public keys may be stored and used in a risky 
environment, while the master key is well protected. 

From a practical point of view, it may not appear too useful to hide the 
order of the group from the owner of the secret key (except in the context of the 
advanced protocols mentioned above). In practice, the owner of the secret key 
might want to use the knowledge of the factors P and Q of N to improve the 
efficiency of key decapsulation by applying the Chinese Remaindering Theorem. 

The main practical selling point for the current scheme is the improved se- 
curity assurance in the random oracle model, compared to EM- 
AIL interesting open problem is the following: Is this paper’s hedging tech- 
nique (cf. Figure m applicable to other cryptosystems, e.g., to the variants of 
the Cramer-Shoup Cryptosystem described in m 
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Appendix 

A Properties of the Set QR^y — Proofs 

In this section, we prove the Lemmas stated in Section [5J Consider the sets 

QR P = {x € 7L* P | 3 a 6 7L* P : a 2 = x (mod P)}, 

QRq = {x € 7L*q 1 3a € TL*q : a 2 = x (mod Q)}, and 

QRjv = {x e TL* n | 3a e 7L* N : a 2 = x (mod N)} 

of Quadratic Residues modulo P, Q and N. Recall the following facts (which we 

don’t prove in the current paper): 

Fact 1. The sets QR N , QR P , and QRq are multiplicative groups. 

Fact 2. \QR n \ = pq, \QR P \ = p, and \QR q \ = q. 


Fact 3. Groups of prime order are cyclic. 

Lemma [TJ QR N has a nontrivial subgroup of order p and a nontrivial subgroup 
of order q. Both subgroups are cyclic. 

Proof. Note that x £ 7L N is in QR, jV , if and only if x is both a Quadratic Residue 
mod P and a Quadratic Residue mod Q. 
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If a = 1 (modP) and 6=1 (modP), then ab = 1 (modP), and if both a 
and 6 are Quadratic Residues mod Q , then ab is a Quadratic Residue mod Q as 
well. Thus, the set 

{x £ 7L* n | 3a £ QRq : x = a mod Q and x = 1 mod P} 

is a subgroup of QR^ of the order |QRq| = q. Similarly, a subgroup of QR jV of 
the order p exists. Groups of prime order are cyclic. □ 

Lemma 0. QR N is cyclic. It consists of one element of the order 1, (p — 1) 
elements of the order p, ( q — 1) elements of the order q, and (p — l)(g — 1) 
elements of the order pq. 

Proof. Consider a,b £ QR jV with ord(a) = p, ord(6) = q. Due to Lemma Q such 
elements a and 6 exist; ord(a6) = lcm (p, q) = pq, thus g = ab generates QR A r. 

Due to ord(p) = pq we have ord(p°) = ord(g a6 ) = ord(l) = 1, ord(<f ) = pq <=> 
(i > 1 and gcd (i,pq) = 1), ord(p fcp ) = q for k € {1, . . . , q — 1}, and ord (g lp ) = q 
for l £ {1, . . . ,p — 1}. □ 

Lemma El For every x £ QR N : ord(x) £ {p, q} =>■ gcd(x — 1,N) £ {P, Q}. 

Proof. From Lemma 0 and the proof of Lemma [I] ord(a;) = q X = 1 (mod 
P) =k gcd(a; — 1, N) = P. Similarly: ord(a;) = p =k gcd(a: — 1, N) = Q. □ 

Lemma El implies that an adversary who is able to find any x £ QR A r with 
ord(x) 0 {1 ,pq}, can factorise N. Further, if ord(a:) = pq, then gcd(a;— 1, N ) = 1. 
An implication of Lemma 0 is that it is easy to find a random generator for 
QRjv- Choose x £ R 7L* N and compute g = x 2 mod N. If p and q are large, g is a 
generator for QR^ with overwhelming probability. In any case, g is a generator 
if and only if ord(p) ^ {1 ,p,q}; ord(g') = 1 g = 1, and Lemma 0 provides a 
way to check for ord(p) ^ {p, q}. 

Lemma El Let g be a generator for QR N . For every x £ /Z pq : ord(g x ) £ 
{ P , q} O gcd{x,pq) £ {p, q}. 

Proof. If x = p (mod pq) , then g qx = 1 and thus ord(g x ) = q. If ord(p x ) = q, 
then ( g x ) p = 1 => xp = 0 mod pq =$■ x = p(modpg). Thus, x = p(modpg) 4=> 
ord(p x ) = q. Similarly, we get x = q (mod pq) ord{g x ) = p. □ 

B ACC-Security and Lunchtime-Security 

Key decapsulation queries correspond to chosen ciphertext decryption queries in 
the public-key (PK) world. The key encapsulation query corresponds to the PK 
encryption query. Here, a plaintext is chosen by the adversary, the oracle either 
really encrypts that plaintext or it encrypts a random plaintext, and the adver- 
sary has to distinguish between real and random. Lunchtime (i.e. non-adaptive) 
security deals with all decryption queries before the encryption query. ACC 
attacks against PK cryptosystems deal with two phases of chosen ciphertext 
queries, the first before the encryption query, the second after the encryption 
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query. (As mentioned in Footnote HI some authors denote lunchtime security by 
“IND-CCA1” and ACC security by “IND-CCA2”. Here “IND” means “indistin- 
guishable”. This notation has been introduced in |5|.) In the second phase, one 
may not ask for the decryption of the result of the encryption query. 

A definition for a lunchtime-secure KEM would require a minor modification 
of our definition for an ACC-secure KEM by asking the decapsulation queries 
before the encapsulation query. And a two-phase attack against a KEM with 
some decapsulation queries before and some after the encapsulation query - 
similar to the ACC attack against PK cryptosystems - can easily be simulated 
by our (one-phase) ACC attack. 

C The Proof for 

Factoring Assumption =>- CDH Assumption 

Proof (TheorernUfl ■ We describe an algorithm using a CDH oracle for QR jV as a 
tool to factorise N. For random inputs, the oracle succeeds with probability tt. 

- Choose (3 G R 7Z pq , a G R 7L* N and compute g 2 = a 2 . 

- Choose ui e R QRjv and compute g = r u?f . 

- Use the CDH oracle to compute u 2 with u 2 f = g 2 . 

- If u 2 ^ ±a (mod N), print gcd(uf — a, N). 

Since /? G 7L pq is a uniformly distributed random value (or statistically indistin- 
guishable from uniform) so are the values g, g 2 , u- 2 e QR^. With the probability 
7r, we get a random square root u 2 of g 2 . Two of the four square roots of g 2 , 
namely ±a are not useful, but if a ^ ±u 2 (mod N), then gcd (u 2 — a, N) G 
{P, Q} factorises N. □ 
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Abstract. XTR is a general method that can be applied to discrete log- 
arithm based cryptosystems in extension fields of degree six, providing a 
compact representation of the elements involved. In this paper we present 
a precise formulation of the Brouwer-Pellikaan- Verheul conjecture, orig- 
inally posed in [4], concerning the size of XTR- like representations of 
elements in extension fields of arbitrary degree. If true this conjecture 
would provide even more compact representations of elements than XTR 
in extension fields of degree thirty. We test the conjecture by experiment, 
showing that in fact it is unlikely that such a compact representation of 
elements can be achieved in extension fields of degree thirty. 


1 Introduction 

Many public key cryptosystems are based on the assumed intractability of the 
Discrete Logarithm (DL) problem: given a cyclic group G = (g) and h G G find 
0 < x < #G such that h = g x . 

Any cryptosystem based on the DL problem requires a large cyclic group G 
as a parameter of the system. We require that exponentiation is efficient in G 
but that the DL problem is believed to be hard. 

The seminal example of DL-based cryptosystems is DifRe-Hellman key ex- 
change (see pj), a method that enables two parties (Alice and Bob) to establish a 
shared secret key by exchanging messages over an open channel. Alice generates 
a random key 2 < a < #G and sends A = g a to Bob. Similarly Bob generates 

2 < b < #&' and sends B = g b to Alice. Alice and Bob can now both determine 
the common secret key S = A b = B a = g ab . 

The basic and original version of Diffie-Hellman key exchange uses G = F p * 
where the prime p and a generator g of G are public parameters. There are 
other choices for the group G. For example Claus Schnorr proposed using a 
prime order subgroup of F p * (see [El]). Alternatively one can use the group of 
points on certain elliptic curves. 
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In this paper we explore another choice: a carefully chosen subgroup G of 
prime order q of the multiplicative group of an extension field ¥ p k. We can 
represent elements of G by their minimal polynomials over a subfield of ¥ p k and 
thereby for certain values of k achieve a comparatively compact representation 
of the group elements involved. This is the idea behind LUC ( k = 2) and XTR 
(k = 6); see Section [2[ 

In Section [3| we refer to a conjecture implicitly posed by Brouwer, Pellikaan 
and Verheul in Pj (the ‘BPV’ conjecture) concerning the size of minimal poly- 
nomial representations of elements in field extensions of arbitrary degree. In 
Sections El and 0 we prove some general results concerning the coefficients of 
minimal polynomials and develop precise formulations of the BPV conjecture. 

Our main objective was to investigate the possibility of obtaining a more 
compact representation of elements than XTR for values of k larger than 6. We 
used a Magma program (described in Section EJ to conduct our investigations. 
Since the BPV conjecture (if true) would provide a more compact representation 
than XTR in field extensions of degree thirty we considered this to be the most 
interesting case. However we also investigated intermediate values of k and dis- 
covered (rather to our surprise) some cases that support the conjecture, although 
these cases do not provide a more compact representation than XTR. 

In Section Q we present the experimental results of our investigations. We 
show that if the conjectured relations exist in the degree 30 case then they are 
most likely too complicated to be of practical value. 

2 Representing Elements by Their Minimal Polynomials 

A standard method for representing elements of an extension field ¥ p k is as 
vectors over a subfield ¥ p d. The usual way of achieving such a representation is 
to use the fact that F p & = ¥ p d.[X]/ P{X) where P is an irreducible polynomial of 
degree k/d over F p ,j.. Elements of ¥ p k are represented by residue classes modulo 
P and these classes can in turn be represented by the polynomials over F p d of 
degree less than k/d. The coefficients of these polynomials enable us to express 
the field elements as vectors over F p d of length k/d: therefore we generally require 
k log p bits to represent an element. 

A well-known alternative method is to represent a € F p fc by its minimal 
polynomial over a subfield F p d. This is the unique monic irreducible polynomial 
F over ¥ p ,i such that F(a') = 0. We always have deg(F) < k/d. 

Note that when deg(F) = k/d and d < k then the k/d non-trivial coefficients 
of the minimal polynomial do not determine the element uniquely: if ao £ ¥ p k is 
a root of F then so are oq = , a 2 = ,. . ., a k / d _i = a . The on are the 

conjugates of o 0 over ¥ p d, and these elements are all represented by the same 
minimal polynomial over F p d. 

The minimal polynomial over ¥ p d of an element of F p i= will have degree k/d 
unless the element is contained in a subfield ¥ p e where ¥ p d C F p e c F p *. Thus at 
first sight it appears that for most elements of F p k we would require k log p bits 
to specify the k/d non-trivial coefficients of the minimal polynomial over F p d, 
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and that therefore we need the same number of bits to represent elements as in 
the representation using residue classes discussed above. However in certain cases 
there exist relationships between the coefficients of the minimal polynomials that 
enable us to reduce the number of coefficients that are required and thereby make 
the representation more compact. This idea is used in both LUC and XTR; we 
describe these methods in the two examples at the end of this section. 

We now introduce the subgroups of field extensions in which we work. 

Definition 1. In a field F p fc we call a subgroup of prime order q with q | <l>k(p) 
and q\k a cyclotomic subgroup and denote it by G <hp ^. (Here ^ (p) denotes the 
fc-th cyclotomic polynomial evaluated in p, see 0 and cao 

We call the group of all elements of order dividing 4>k(p) the (p, k)-cyclotomic 
group and denote it by G Pi k- 

The original Diffie-Hellman protocol uses the (p, l)-cyclotomic group G Pt i, 
while Schnorr’s variant is based in a cyclotomic subgroup G q>Pt LUC uses a 
cyclotomic subgroup G qtPt 2 and XTR uses G q>Pt e, as we next explain. 

Example 1. The LUC system uses minimal polynomials to represent elements 
of a cyclotomic subgroup G q>p $ of F p a*. The minimal polynomial over F p of an 
element h G G (J:P: 2\{1} is 

P h = (X- h)(X - h p ) =X 2 -(h + hP)X + h p+1 = X 2 - Tr p {h)X + 1 

where Tr p (h) G F p denotes the trace of h over F p . Hence h can be represented 
by the polynomial P/j G F p [A] and this polynomial is completely determined by 
the value of Tr p (/i). Thus only log p bits are required to represent elements of 
G q ,p ,2 by their minimal polynomials, compared to the 2 log p bits that would be 
required using a standard representation. 

As already observed Ph does not determine h uniquely but determines both 
h and h p , the conjugate of h over F p . 

LUCDIF is a variant of Diffie-Hellman key exchange obtained by applying 
LUC to the conventional system described in the Introduction. In the LUCDIF 
variant Alice sends Bob Tr p (g a ) instead of g a . Using the standard method for 
solving a quadratic equation Bob solves X 2 — Tr p (g a )X + 1 = 0 obtaining the 
solutions g a and its conjugate g ap . Bob can now use these solutions and his secret 
exponent b to calculate ( g a ) b + (g ap ) b = g ab + g abp = Tr p (g ab ). Alice uses the 
same method to calculate the shared secret key Tr p (<7 ab ) from the value Tr p (g b ) 
received from Bob. 

The elements Tr p (<? a ) and Tr p (g b ) that are communicated over the open chan- 
nel are in F p and hence of length log p bits. This is half the size of the elements 
g a and g b that are exchanged in conventional Diffie-Hellman key exchange using 
the standard representation discussed at the beginning of this section. 

Another benefit of LUCDIF is that the calculations that each party must 
perform are significantly quicker than in the conventional system. These calcu- 
lations use so-called Lucas recurrent sequences. For full details the reader should 
consult P|, (22J (where the name ‘LUCDIF’ was proposed), j I Yi . |1 til . [TTlj and 

Id- 
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Of course it is essential that the benefits achieved by applying LUC do not 
compromise the security of the system. In fact it is easily shown that breaking 
the LUCDIF variant is equivalent to breaking the conventional system. 


Example 2. The XTR system represents elements of a cyclotomic subgroup 
Gq, p ,e by their minimal polynomials over F p 2 . (This subgroup is called an XTR 
group in the XTR literature.) The minimal polynomial over F p 2 of a non-identity 
element h £ G q , P ,6 is 

P h = (X - h)(X - h p2 )(X - //) 

= X 3 -(h + h p 2 + h pi )X 2 + ( h p2+1 + h pi+1 + h pi+p2 )X - h pi+p2+l 
= X 3 - Tr p 2 (h)X 2 + ( h p2+1 + h p * +1 + h pi+p2 )X - h p * +p2+1 

where Tr p 2 denotes the trace over F p 2 . 

Since q \ $e{p) = p 2 — p + 1 and p 2 — p + 1 | p 4 + p 2 + 1 we know that the 
constant term of Ph is —1. Furthermore the congruences p 2 + 1 = p, jj 4 + 1 = p 3 
and p 4 +p 2 = p 3 modulo p 2 —p+l imply that the coefficient h p2+1 +h p +1 +h pl+p2 
is equal to Tr p 2 (h) p . Thus 

P h = X 3 - Tr p2 (h)X 2 + T V {h) p X - 1, 

which is completely determined by the value of Tr p 2 (h) £ F p 2 . It follows that 
only 2 log p bits are required to represent elements of G 9iPi e by their minimal 
polynomials, which compares very favourably to the 6 log p bits that would be 
required using a standard representation. 

Clearly in order to apply XTR to a DL-based cryptosystem it is necessary 
to be able to perform certain computations using traces of elements of the XTR 
group. For example in Diffie-Hellman key exchange we must be able to compute 
Tr p 2 (g xy ) given Tr p 2 (g x ) and y. Efficient methods for performing the calcula- 
tions required for XTR variants of cryptosystems such as Diffie-Hellman key 
exchange and DSA have been developed by Lenstra and Verheul (see PH, PH, 
93 > D3) and Lenstra and Stam (see E9)- As with LUC these methods are 
computationally more efficient than the corresponding calculations performed 
in G qtP fi without using traces. 

We conclude this section by discussing some security issues. 

The most effective known methods of (passive) attack against DL-systems 
are based on the Birthday Paradox or use of the Number Field Sieve. Birthday 
Paradox based algorithms (such as Pollard’s rho algorithm j2Dj) have expected 
running times of order ^fq elementary operations in G, where q is the largest 
prime factor of the order of G. The Discrete Logarithm variant of the Number 
Field Sieve has a heuristic expected asymptotic running time of L[p, 1/3, 1.923 + 
o(l)] (see P and j2j). 

The security of the original Diffie-Hellman system, which uses G p .i, depends 
not only on the size of p but also on that of the largest prime factor of p — 1; 
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for adequate security this factor should have at least 160 bits. To resist Number 
Field Sieve attacks p should be at least 1024-bit. 

For systems (like LUC, XTR) employing cyclotomic subgroups G, hPt k of F p k 
the same requirements on the size of q apply: q should have at least 160 bits to 
be secure against Birthday Paradox attacks. The following lemma (see also 0 
Lemma 2.4], as corrected by Minghua Qu) shows that the condition q\k ensures 
that every non-identity element of a cyclotomic subgroup G qiPi k lies outside every 
proper subfield of F p * , and hence that G g , p ,fe is as secure against Number Field 
Sieve attacks as F p ie itself. This means that p should be chosen in such a way 
that k ■ logp > 1024. Hence for LUC p of at least 512 bits is recommended, and 
for XTR of at least 171 bits. 

Lemma 1. If h £ G, /iJJ> / c \{l} then h ^ F p d for proper divisors d of k. 

Proof. Since q \ k we have gcd(X fc — 1, kX k ~ l ) = 1 in F g [X] and thus X k — 1 
has no repeated roots in the algebraic closure of ¥ q . As X k — 1 = J][ e | fc *e(X) 
and Pk (p) = 0 mod q we see that P e (p) ^ 0 mod q for e | k, e < k. But for any 
proper divisor d of k we have 

x--i = n*.w | n *-(*). 


so p d — 1 ^ 0 mod q. Thus the order of F p d* is not a multiple of the order q of h. 

3 Do More Compact Representations than XTR Exist? 

By representing elements of cyclotomic subgroups by their minimal polynomials 
over a subfield, LUC and XTR reduce the number of required bits per element 
by a factor 2 and 3 respectively. A natural question arises: can we do any better? 

Both LUC and XTR provide evidence for the BPV conjecture mentioned in 
the Introduction, which can be informally stated as follows, using Euler’s totient 
function <p: 

Elements of G qtPt k can be represented with (p(k) logp bits using minimal 
polynomials over some subfield of F p fc . 

If the BPV conjecture were true the best size reduction (compared to a standard 
representation) is achieved when the ratio k/cj>(k) is large. This happens when k 
is the product of distinct primes. LUC and XTR are the simplest such cases and 
the next value of k of interest would be k = 2 • 3 • 5 = 30. We shall investigate 
this case in Section □ 

We now present two more examples that provide further evidence in support 
of the BPV conjecture. 

Example 3. Let fc be a prime and let h 6 G fpP: k, with h 1 . The minimal 
polynomial of h over F p has degree k and constant term equal to 1 if k = 2 
and —1 otherwise (see Theorem P). Therefore I\ is completely determined by 
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the fc — 1 coefficients of X, X 2 , . . . . X k ~ l . Since these coefficients are elements 
of F p and <p[k) = k — 1 it follows that elements of G g ,p,fc can be represented by 
<j)(k ) logp bits, in support of the BPV conjecture. 

Note that one can base generalisations of LUC on this example. In fact such a 
variant was published by G. Gong and L. Harn for k = 3 (see Q). Here recurrent 
Lucas sequences similar to those used in LUC are employed. However this system 
has an ‘improvement factor’ k/<p(k) of just 3/2. 

Example f. Let k = 6 , so that the extension field has the same degree as in 
XTR (Example 0) . In XTR we considered the minimal polynomial over F p 2 of 
h G G q p fi, h 1. We now consider the minimal polynomial 

P h = I] ( X ~h pi )=X 6 + a 5 X 5 + a 4 X 4 + a 3 X 3 + a 2 X 2 + ai X + a 0 

0<i<5 

of h over F p . The constant term a 0 = 1 since the order q of h divides <L 6 (p) which 
in turn divides 1 + p + p 2 +p 3 +p 4 +p 5 . Using p 3 = — 1 mod q it is easily shown 
that ai = a 5 and a 2 = a 4 (cf. Corollary |H) . We note that the value of the first 
elementary symmetric polynomial in the conjugates of h is —a 3 and the value 
of the second elementary symmetric polynomial in the conjugates of h is < 24 . 
Furthermore one can write a 3 (which is minus the value of the third elementary 
symmetric polynomial in the conjugates of h) as a symmetric polynomial of 
degree 2 in the conjugates of h. By the Fundamental Theorem of Symmetric 
Polynomials JTHJ Theorem 4.31] it follows that it is possible to write <23 as a 
polynomial in a 3 and a 4 . In fact we have <23 = —a 2 + 2 a 4 + 2a 5 — 2, a relationship 
first noted in 0. It follows that P h is completely determined by a 5 and a 4 so 
that h can be represented by two elements of F p , that is by 0(6) log p bits, in 
support of the conjecture. 

The four examples that we have considered so far have demonstrated relation- 
ships that can hold between coefficients of minimal polynomials of elements of 
a cyclotomic subgroup G g , p ,fc. In the next section we shall prove some general 
results concerning these relationships. We shall also formulate a weaker version 
of the BPV conjecture (Conjecture 0) that is more amenable to verification. 

4 Coefficients of the Minimal Polynomials 

We begin with the following theorem. 

Theorem 1 . Let h be a generator of a cyclotomic subgroup G qtPt k, where p is 
odd and k > 2. Let X k l d + a k / ( i-iX k ^ d ~ 1 + • •• + a\X + a 3 be the minimal 
polynomial ofh over F p d, for some d dividing k, with d < k. Then ao = (— l) k l d , 
and if k = 2£ is even, a* = (— 1 ) k ^ d a p k / d _ v for i= 1 , . . . , k/d — 1 . 

Proof. Write hj = h/' 3 for j = k/d 1. Then 

k/d- 1 

X k > d + a k/d _ 1 X k / d - t ^ + a l X + a 0 = [] (X-%), 
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and comparing coefficients we see that aj = (— l) fc / d- Vfc/d_j(/io, . . . , hk/d-i) for 
i = 0 , . . . , k/d — 1 , where cr n (ho, ■ ■ ■ , h^/d-i) is the n-th elementary symmetric 
polynomial in the conjugates hj of h. In particular 

a o = (~l) k / dcr k/d(ho, • • • , hk/d, t) 

= (~l) k/d h 0 • • • h k p- t = (-1 )k/d h i+p i H> fi +-+P k -\ 

But 1 +p d + p 2d H 1- p k ~ d = (p k — 1) /(p d — 1) which is divisible by (p) and 

hence by q, the order of h. Therefore ao = (— l) k / d . 

If k = 2£ is even then p k 1 = (p k — 1)(// + 1). Since the order q of h 
divides p k — 1 but not p e — 1 we have p e = — 1 mod q and therefore hj 1 = 
h ] • for j = 0, . . . ,k/d — 1. Furthermore, since ho ■ hi ■ ■ ■ h^/d - i = 1 we have 
<Tk/d-i(h 0 ,...,h k / d -i) = for i = l,...,k/d—l. It follows 

that for * = 1, , k/d — 1 

<rk/d-i(ho, • ■ • , h k/ d-i) = (Tiiho 1 , h-j d _ x ) = ai(hf ,. . . , h£ /d _ t ) 

= <Ti(ho, . . . , h k /d-i) p (characteristic p) 

= ((-1 Ya k/ d-i/ = (-1 Tai/d-v 

Therefore, as required, for i = I, . . . , k/d — 1: 

a* = {-If^k/d-iiho, • • .,h k/d -i) = (-1 ) k/d ai/d-v 


Corollary 1. If k is even and d divides k/ 2 then the minimal polynomial over 
F p d of a generator of G qtPtk is palindromic: ai = a k /d~i for i = 0, . . .k/d. 

Proof. Write I = k/ 2. Elements of ¥ p d are invariant under p e - th powering since d 
divides t. Hence, by the previous theorem, = (— 1 ) k ^ d a k / d -i for i = 0, . . . k/d. 
Since k/d is even the result follows. 

Proposition 1. Let k = de, with e > 1. Then for any element h of G qjpk the 
minimal polynomial Ph over F p d can be represented using the following number 
of elements o/F p d: 

• e — 1, if de is odd; 

• j tf d is even an d e i s °dd; 

• % if e is even. 

Proof. We represent elements of G q p k by their minimal polynomials over the 
subfield of degree d. The constant coefficient is ±1, so e— 1 elements of F p d suffice 
to represent elements of G (hp , k . This covers the first case. 

In the second and third cases k is even and by Theorem [0 only half of the 
remaining e — 1 coefficients are required. More precisely if e is odd we need 
(e — l)/2 coefficients and if e is even we require e/2 coefficients. 
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Note that, unfortunately, this result cannot be used recursively since the coeffi- 
cients a, are not (in general) in a cyclotomic subgroup of F p d. 

Proposition [T| leaves a choice for d and e if k is composite, and some choices 
will offer better improvement factors than others. If k is even but not a power 
of two then Proposition |T| indicates that a good choice for e is the smallest 
odd divisor of k greater than 1. For example when k is divisible by 6 we can 
choose e = 3 and d = k/ 3 and thereby achieve an improvement ratio of 3. In 
the following example, which generalises Example El we show that the same 
improvement ratio can be achieved by taking e = 6. 

Example 5. Let k be of the form 6 d, let r = p d and consider I\, the minimal 
polynomial over F r of h G G </ .p.fe\{l} : 

P h = Jit *- hri ) =X & + as* 5 + + a 3 X 3 + a 2 X 2 + ai X + a 0 

0<i<5 
where a* G F r . 

The order of h is q, which divides <l , ed (p). It is well-known (see jHJ) that 
$ 6d (X) | $ 6 (X d ) so q divides <*> 6 ( r ) = r 2 - r + 1. 

Arguing as in Example 0 we have 

(X - h)(X - h r2 )(X - h ri ) = X 3 - tX 2 +t r X - 1, 
where t = Tr r 2 (h) G F r 2 is the trace of h over F r 2 . From this we have 
{X - h r )(X - h r3 )(X - h r5 ) = X 3 - t r X 2 + t r2 X - 1. 

Since t r = t it follows that 

P h = (X 3 - tX 2 + t r X - 1)(X 3 - t r X 2 + tX - 1), 

and we see that not only is Ph palindromic, as Corollary dimphes, with ao = 1, 
< 2 i = ct 5 = — t — t r and a 2 = a± = t + t r + t 1+r , but also that 

a 3 = -2 - t 2 - t 2r 

= -(-t- t r ) 2 + 2 (t + t r + t 1+r ) + 2 (-t -t r )-2 

= — a 2 -(- 2a 4 “t - 2a 5 — 2. 

This means that we only need a 5 and a 4 to specify Ph- 

Table 1. The table summarises the results of Proposition Dl and Example El concerning 
the number of words S of size log p that suffices to represent the minimal polynomials 
of elements of G q , Pl d e , and the improvement ratio de/S. Note that S is an upper bound; 
fewer words may do. 


d 

e 

S 

ratio: de/S 

odd 

odd 

d-(e-l) 

e/ (e — 1) 

even 

odd 

d- s=i 

2e/(e-l) 

even 

even 

d- § 

2 

odd 

even 

d ■ | 

2 

any 

6 

d ■ 2 

3 
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5 The Conjectures 

We now work towards a more precise formulation of the BPV conjecture. Con- 
sider some k = de with e > 1. Let h be an element of the (p, fc)-cyclotomic 
group G Pt k that is not contained in any proper subfield of F pfc and let P^ = 
X e + a e - \X e ~ x + ■ — b a ±X + ao be the minimal polynomial of h over ¥ p d. Note 
that a e -j corresponds, up to sign, to the j-th elementary symmetric polynomial 
evaluated in the e conjugates of h over F p d. By Theorem Q] we have ao = (— l) e - 

For 1 < i < e — 1 let Aj = {a e _i, . . . , a e -j}. We let u<i denote the smallest 
integer with the property that the set A e _i of all non-trivial coefficients of pff* 
can be recovered from A Ud . Thus all coefficients of pjf* can be recovered from 
the first u,i elementary symmetric polynomials in the conjugates of h over F p d 
but not from the first Ud — 1 polynomials. 

We must address the question of what we mean by ‘recovering’ A e _i from a 
subset Aj. Note that we should not simply state that all a 3 can be expressed as 
polynomials in the elements of Aj, since the coefficients come from a finite field 
in which many relations will exist. It seems one requires the existence of such an 
expression independent of p, although perhaps dependent on d and e. However 
this is still not entirely satisfactory: the second part of Theorem^ states that we 
can recover, for example, a x from a^/d-i using conjugates, i.e. in a manner which 
does depend on p. This means that our ‘recovery’ notion for d > 1 should imply 
the existence of polynomials with integer coefficients and degree independent of 
p that, when evaluated in the d conjugates over F p of the elements of Aj, will 
yield the other coefficients. 

We shall introduce multivariate polynomials in indeterminates Xj, and eval- 
uate the polynomials at the elements of some coefficient set Aj. It will be conve- 
nient to define the weighted degree of a monomial Xf 1 ■ ■ ■ X% n in Z[Xi , . . . , X n ] 
to be J2j = i j ' e i an< l the weighted degree of a polynomial P as the maximum 
of the weighted degrees of the monomials that appear in P (with non-zero co- 
efficient). Note that Xj has weighted degree j in P. The motivation for this 
definition is that we shall evaluate Xj in a e -j, which is symmetric of degree j 
in the conjugates of h over ¥ p ,i. 

Observe that G p .k is asymptotically of size pX k ) . Therefore in order to rep- 
resent the whole of G Pt k by the minimal polynomials of its elements over ¥ p d we 
must have d-u,i > 4>{k). Thus, for given values of k and d, we have an information- 
theoretic lower bound of \<j>{k)/d\ on the value of Ud ■ The conjecture states that 
in fact Ud is always equal to this lower bound. 

We now come to our first formulation of the BPV conjecture. 

Conjecture 1 ((d, e)-BPV). Let k = de, with e > 1. Let Ud be the least value 
of u for which Qj e Z[x [ 0) , . . . , x [ d , w| 0) , . . . , X ^ _1) , . . . xi° } , . . . , xi d ~ 1} ] 
exist, for 1 < j < e — u — 1, such that for every prime p and every element 
h G G Pt k that is not contained in a proper subfield of¥ p k, the coefficient aj of 
pjf ' 1 is given by 

aj = Qj{a e _ x ,al _ x . . . , a^ ,a e . 2 , a p e _ 2 . . . , c£f , , . . , a e _ u , a^„, . . . , a£j, 
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for 1 < j < e — u — 1, where Qj denotes Qj with coefficients taken modulo p. 
Then Ud = \<j)(de)/d\. 

Motivated by Example 0 we also formulate a strong form of the conjecture, 
including a bound on the (weighted) degree of the polynomials involved. 

Conjecture 2 (strong (d, e)-BPV). Let k = de, with e > 1. Let u* d be the 
smallest integer for which there exist polynomials Qj as in Conjecture (d,e)- 
BPV with the additional requirement that the polynomials Qj are of weighted 
degree at most u, where the weighted degree of xj® is k (for 1 < k < u and 
0 < i < d — 1). Then u* d = \(j){de)/d\ . 

The main conjecture, which was stated informally in Section 0 can now be made 
precise. For k > 1 we define red(fc) = min{d • u ( i}, where the minimum is taken 
over all proper divisors d of k. 

Conjecture 3 (fc-BPV). Let k > 1 be an integer. There exists a proper divisor 
d of k such that d divides <j>(k) and for which (d, fc/d)-BPV holds. Therefore 
red(/c) = 4>{k). 

Conjecture 0 applies to all elements of G p ^ that are not contained in a proper 
subfield of F p fe. Therefore if Conjecture 0 were true then the BPV conjecture, 
which we expressed earlier in terms of cyclotomic subgroups G q . p ,k, would cer- 
tainly hold as well. 

Finally, we formulate the obvious strengthened version of Conjecture 0 in- 
cluding a bound on the degree. 

Conjecture 4 (strong A-BPV). Let k > 1 be an integer. There exists a proper 
divisor dofk such that d divides <j>(k) and for which strong ( d , £;/d)-BPV holds. 

Our preparatory work on the coefficients implies the correctness of Conjecture 
0 and hence of Conjecture 0 for a whole family of values of k. 

Proposition 2. Let 2 s p[ 1 p2 2 ■ ■ ■ p r r j be the prime factorisation of k > 1 with 
2 < pi < ... < p n . Then red(fc) < j)(2 s p r L 1 )p2 2 ■ ■ In particular, if k is of 
the form 2 s p] 1 then Conjecture\%\holds for k; and red(fc) = <f>(k ) in this case. 

Proof. If k = 2 s and s > 1 then taking d = 2 s-1 and e = 2 in the even-even case 
of Proposition 0 gives the result since </>(2 s ) = 2 s-1 . Similarly, if k = p r f with 
ri > 1 , the result follows from taking d = p] 1-1 and e = pi in the odd- odd case 
as (j){p r i ) = (p i — l)Pi 1_1 - The general case of the first part of the result (where 
ri,s > 1 ) follows by taking d = 2 s p r L 1 ~ 1 p 2 2 ■ ■ ■ p T r j and e = p\ in the even-odd 
case. The final part follows directly, using the observation that red(fc) > <p(k). 

Proposition 0implies that Conjecture 0 holds for all k < 30 with k ^ 15, 21,30. 

Example 6. The first case of real interest of Conjecture fc-BPV is k = 30, as there 
an improvement ratio of 30/8 > 3 might be obtained. By virtue of Proposition 
0it follows that, by choosing e = 3, we can represent elements of the cyclotomic 
group G Pt 30 as minimal polynomials using a single coefficient from the subfield 
of p 10 elements, so using 10 log p bits. Therefore red(30) < 10. 
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Conjecture 30-BPV states that in fact only 0(30) logp = 8 log p bits axe 
necessary. More specifically the conjecture says that for some divisor d of 0(30) = 
8, the minimal polynomial over ¥ p d of any element of G Pt 30 can be generated by 
eight elements of F p . For d= 2, for example, it could be that only the four highest 
of the non-trivial coefficients of minimal polynomials over F p a are independent, 
and that the others can be expressed as polynomial expressions in these. This 
would represent a significant improvement on the upper bound provided by 
Proposition 0 which states that the seven highest non-trivial coefficients are 
sufficient to generate the others. 

The 25 pairs (d, e) with de < 30 for which Proposition Q] and Example El do not 
provide a proof of Conjecture 0are listed in the table at the end of Section 0 

6 The Magma Programs 

In order to test the conjectures formulated in the previous section we performed 
some experiments using the computer algebra system Magma 0. 

Algorithm 0 (Find relations). Input: integers p,k,d,u,v,j . 

Output: a set Q of polynomials in Z[Xi, . . . ,X U ,Y]. 

Description: 

Determine a prime divisor q of I>k ip) not dividing k (LemmaQD , and a generator 
h of G q>P} k (e.g. taking the (p k — l)/f-th power of a primitive element g of F p k). 
Next, generate the finite set S of all sequences [si, . . . , s u \ with Yli=i i-Si<v. 
Now generate s = #S' random elements hi,...,h s of G qtPt k, for example by 
taking random powers of h, determine the minimal polynomials 

p (d) = X k/d + a k/d _ lX k/d - 1 + . , ., + aiX + Oo> 

of these elements over ¥ p d and evaluate m{h t . s) = a s e 1 _ 1 ■ a S2 _ 2 ■ ■ ■ af'L u for all 
s £ S. Let M be the square s X s matrix with entries in F p d, the i-th row of 
which consists of the monomials m(hi,s), for s ranging over S. Let w 6 F p d 
consist of the coefficients aj (with j given by the input) of the polynomials Pj^\ 
for i= l,2,...,s. 

Solve the linear system of equations Me = w for c £ F p . If the solution 
space is non-empty, translate each element c from the solution space back to a 
polynomial relation C e Z[X 1 , . . . , X v ] via 

c C = c s x 'i • • • X* u - Y, 
ses 

where on the right we interpret the component c s G F p of the vector c as an 
integer by taking the least integer representative for its residue class modulo p. 

Finally, determine the Grobner basis Q of the ideal generated by these rela- 
tions in Q[Xi, ..., X u , Y]. 

This ends the description of the algorithm. 
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The output of the algorithm consists of polynomials in u variables that form 
a basis for all polynomial relations Q(a e -i, . . . , a e - u ) — (ij = 0 between the 
coefficients of the minimal polynomial for generators of the cyclotomic subgroup 
Gq,p,k, satisfying the condition that the weighted degree of Q is at most v. 

To verify Conjecture 0for a pair (d. e) we apply the following algorithm, with 
input d,e and with w = \cj)(de)/d\. 

Algorithm 2. Input: integers d, e, w. 

Output: either ‘false ’ or sets Qj of candidate polynomials for Conjecture 0 
Description: 

Let u = \(f>(de)/d\. 

Repeat the following step for j = e — u 1, e — u — 2, . . . , 1 in succession, 
terminating with output ‘false’ when an empty set Qj is encountered, and with 
sets Qj , j = e — u — 1 ..... 1 , as output otherwise: 

Choose a prime number p, and apply Algorithm Qwith input p,k = de. d. u, 
v = w, j to determine a set Qj. 

If Algorithm 0 returns ‘false’, Conjecture 0 is refuted for the given values of 
d, e as no polynomial relation exists (for at least one j) of weighted degree at 
most Ud that works modulo p. Otherwise it returns candidate polynomials Qj 
expressing aj in a e -i, . . . , a e - u . These candidates have only been proven to work 
for a single prime number p: to increase confidence one would test the candidates 
for different values of p. 

A (less effective) alternative to Algorithm 0 consists of a single application 
of Algorithm 0 rather than e — u— 1 successive ones, by replacing in the input 
for Algorithm 0 the values of u and v by e — 1, and putting j = 0. The result 
will be that Algorithm 0 will attempt to find all algebraic relations between all 
af s (of weighted degree bounded by v) in one go; if the Conjectured relations 
exist, the Grobner basis will exhibit them all. This approach is only feasible for 
very small values of de (see Example 0). 

Algorithm 0 rarefy succeeds; it is designed to refute Conjecture 0 for pairs 
d, e. Likewise, the following algorithm is designed to refute Conjecture 0 

Algorithm 1. Input: integers d,e. 

Output: either false ’ or sets Qj of candidate polynomials for Conjecture 0 
Description: 

Repeatedly apply Algorithm 0 with input triples d, e, w, until sets Qj are re- 
turned, starting with w = \ (p(de) /d ] , and incrementing w by 1 when Algorithm 
0 returns ‘false’. 

It should now also be clear how to attempt to refute (or prove) Conjectures 0 
0 apply Algorithms 0 0for all pairs (d, e) of divisors of k with d dividing <f>{k). 

As stated, the algorithms do not look for dependencies involving the F p - 
conjugates of a e _i, . . . , a e - u . The reason for this is that initially we attempt 
to find dependencies that do not involve the proper conjugates; the algorithm 
can easily be modified to include them, but doing this blows up the number 
of variables in the monomials by a factor d u . We have omitted this from the 
description of the algorithms for the sake of clarity. 
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The Grobner basis of the ideal is determined to detect dependencies between 
relations that are found. In our experiments usually one of three things happened: 
either no relation was found, or many relations were found due to the fact that 
the prime was chosen too small, or a few relations were found that generated an 
ideal with a Grobner basis consisting of a single polynomial relation expressing 
the dependency of a e -u-i on a e -i> ■ ■ ■ ■ a e -u- See for example, for a discussion 
of Grobner bases. 

The main feature of Algorithm EJ is that of converting the problem of finding 
a polynomial relation to finding the kernel of a matrix over a finite field: the 
columns of the matrix correspond to the monomials, and the existence of an 
algebraic relation between the coefficients implies a dependency between the 
evaluations of the monomials at the coefficients, that is between the columns of 
the matrix. Thus the problem is reduced to linear algebra over ¥ p d. 

The experiments we carried out deviated slightly from the description in this 
section: the indeterminate Y in Algorithm 0 was given weight u + 1 and was 
allowed to appear with exponent larger than 1 in the polynomial relations (see 
Example EJ) • For that reason our searches started at weight (a multiple of) 
\<j>{de)/d | + 1 , exceeding the minimal value predicted by Conjecture 0 

Example 7. As a first example we present the output of our algorithm for k = 4. 

Conjecture 0 holds for (d,e) = (2,2) since by Theorem 0 the minimal poly- 
nomials over F p 2 of elements of G p a \ F p 2 are of the form X 2 + a\X + 1 , with 
ai e F p 2. 

The other case for k = 4 is d = 1, e = 4. The minimal polynomials over F p 
of elements of G Pt 4 \ F p 2 are of the form X 4 + < 23 A 3 + a^X 2 + a\X + ao, ao = 1- 

In a run of Algorithm Q we used p = 5; since ^4 (5) = 5 2 + 1 = 26, we 
look at in G^a- To find possible algebraic relations between a 3 , <22 and 

di we take u = 2; we choose w = 3. The only monomials besides Y we obtain 
are X 2 , X 2 , X 1} 1. One run of our algorithm produced two dependencies in the 
matrix M, corresponding to an ideal with Grobner basis X\ — Y, X 2 — Y 2 + Y + 1. 
The first of these expresses that 03 = ai, as we expect by Theorem 0 but the 
second is an ‘accident’ caused by the fact that we have chosen p and thereby 
q to be very small. Indeed, in this case several minimal polynomials coincided 
(since the 12 non-trivial elements have just 3 different minimal polynomials). 
This illustrates why small primes p should be avoided. 

If we invoke the algorithm with p = 101 instead, we immediately find a 
single relation 03 — ai = 0 and no others. As a matter of fact, if we increase the 
parameters u and w to 3 and 4, the result will be a Grobner basis a 3 — ai , ao — 
1 : the minimal polynomials are always palindromic, and we have rediscovered 
Corollary 0 for this case. 

Refuting Conjecture □ (without the degree bounds) would involve looking at 
evaluations of all possible monomials in u coefficients. But since there is only a 
finite number of (different powers of) elements in ¥ p k anyway, this is still a finite 
task! However, the necessary computation can only be done if p is very small 
(say 2 or 3), in which case we run into problems similar to those in the previous 
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example for small p, namely that the order of G p ^ would be smaller than the 
number of monomials and we would obtain many unwanted identities. 


7 Experimental Results 

In this section we describe the experiments we have performed to test the con- 
jectures. We looked at all cases with k = de < 30 still left open, as summarised 
in the table at the end of this section. We comment on some interesting cases, 
in order of ascending k. 

Example 8. \ k = 6 | 

This provided a test case for our programs (see the earlier examples). There are 
three pairs ( d , e) to consider. 

The case d= 3 , e = 2 is trivial, since in the quadratic extension F p e over F p 3 
elements are given by a single non-trivial element of the palindromic minimal 
polynomial; elements are thus represented by one element of F p 3, which is in 
accordance with Conjecture [D 

With d = 1, e = 6 Algorithm El finds (within a few seconds) the relations 
— a| + 2 <24 + 2a5 — 2 = a 3 , = a% and <25 = aq, for example with p = 211. 

Thus elements of a degree six field can be represented by the elements a 5 and <24 
from the prime field. This proves, as noted before, both Conjecture El and hence 
Conjectured for (d,e) = (1,6), as well as Conjectured and hence Conjectured 
for k = 6. 

With d = 2 ,e = 3 we have a cubic extension with k even. The standard 
Algorithm Eldoes not find small relations; however, if we include the conjugates 
<22 and a\ as well as a 2 and aq, then with p = 29 the algorithm produces the 
relation a2 + a\ = 0 (and also, in fact, a\ — aq = 0 in the Grobner basis). 
Note the conflicting constraints on p once we include the conjugates: we want 
p to be large to avoid spurious relation in a small field, whereas we want it to 
be small since we get monomials including ajf in the relations. The relation 
<22 + = 0 means we can represent the degree 6 field by a single element oq 

from the quadratic subfield; the element can then be recovered. This proves 
Conjectured for (d, e) = ( 2 , 3 ) and Conjectured for k = 6 (again). 


Example 9. \ k = 9 | 

Conjecture El and Conjecture d for d = e = 3 are covered by Proposition d 
To achieve the same efficiency in the full extension {d = 1 , e = 9 ) one would 
have to express <22 and ai in terms of a§, 07, . . . , 03. Our experiments with Al- 
gorithm El show that no such relations exist with u = 6 and w = 7. That is, 
Conjecture El is false for this case. 

In order to investigate whether a relaxation as in Conjecture d with regard 
to the degree of the polynomials involved would hold, we increased the search 
bound in Algorithm O to w = 28 . In this and the cases to follow, we took w as a, 
multiple of u+1 and took w also as an upper bound on the weighted degree of the 
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polynomials when all variables are taken into consideration; that is, we searched 
for polynomials in Z[Xi , . . . , X u , Y] for which Yli=t i- Si + (u + 1)* s < w, where 
s is the exponent of Y. In the current case that simply means that we allowed 
polynomials involving Y up to the 4-th power. Thus we even consider relations 
for a -2 involving a%. 

No relations were found with w = 28. The computation involved computing 
the kernel of a 8561 x 8561 matrix over F p (using p = 2003). 

Example 10. fife** 10f [ f 

The case d = 2, e = 5 can be done using 2 elements from F p a by Proposition QJ 
proving Conjecture Q] for (d, e) = (2, 5) but also Conjecture 0 for k = 10. 

For d = 1, e = 10 Proposition [Oshows that 5 elements of F p suffice; Conjecture 
□ predicts that 4 should be enough. We therefore invoke the Algorithm with 
u = 4; we found the following relation, but only after raising the search limit to 
w = 15 (using p = 1009): 

o| + 2 • al — 8 • a| ■ a 8 — 2 • a® • a 7 + a® • a B — 12 • a| • a 8 + 4 • a| • a 7 + 4 • ag • a 5 

— 4 ■ ag + 21 ■ ag ■ a§ + 12 ■ ag ■ as ■ a7 — 2 ■ ag ■ as ■ a6 — 6 ■ ag ■ as ■ as + 2 ■ ag ■ as 

T 2 • ag • — 2 • ag • ay • as 4- 12 • ag • ay -|- ag • a 6 — 10 • ag • as -|- 2 • ag • as — 3 • ag 

4- 20 • alj • a 8 — 16 • ag • a 8 • 07 — 4 • ag • as • 06 — 16 • a| • a 8 • as 4- 16 • ag • as 

— 6 • Og • ay T 8 • Og • O7 — 12 • Og • 06 T 2 • Og • O5 T 4 • Og — 20 • Og • 0 8 

— 20 * Og * Og * O7 T 8 * Og • Og * 06 4“ 10 * Og • Og * O5 — 8 * Og • Og — 8 * Og * 08 * O7 

T 4 • Og * 08 * ay • 06 4~ 8 • Og • Os * O7 • O5 — 32 • Og * 08 * O7 — 4 • Og • 08 * Og 

— 2 • Og * 08 * 06 * O5 T 32 • Og • 08 * 06 T 4 • Og • 08 — 2 • Og * O7 “(“ Og * O7 * O5 

4“ 12 • Og * O7 * 06 4“ 16 * Og * O7 * O5 — 4 • Og * O7 — 4 • Og * Og — 6 * Og * 06 * O5 

“i“ 4 • Og * O5 “(“ 2 • Og * O5 “(- 8 * Og — 8 * Og * Og T 16 * Og * Og * O7 T 8 * Og • 0 8 * 06 

+ 12 • ag • o| • as — 16 • og • a| + 12 • og • a 8 • a? — 16 • ag • as • 07 — 8 • og • os • 06 • os 

+ 16 • ag • os • 06 — 4 • og • os • a§ — 8 • og • a 8 — 4 • og • a? • 05 + 4 • og • a? 

+ 8 • ag • 07 • 06 — 16 • ag • 07 • 06 — 2 • ag • 07 • 05 + 8 • ag • 07 • 05 — 8 • ag • 06 

— 16 • ag • 06 • 05 + 8 • ag • 06 + 2 • ag • 05 + 4 • ag • 05 + 4 • a| + 8 • a| • 07 — 8 • o| • 06 

— 4 • a| • 05 + 8 • a| + 8 • o| • ay — 8 • a| • ay ■ a& — 4 • a% ■ ay ■ as + 16 • a 8 • ay 

+ 4 • as • ag + 4 ■ ag • 06 • as — 16 • a| • 06 + a| • 05 — 8 • as • 05 + 4 • as • 07 

— 4 • a 8 • O7 • 06 — 2 • 08 • O7 • 05 — 16 • 08 • 07 • 06 — 16 • a 8 ■ 07 • 05 + 8 • a 8 • 07 

+ 16 • a 8 • ag + 8 • a 8 • 06 • 05 — 8 • a 8 • 06 — 4 • a 8 • 05 — 8 • a 8 + 07 — 4 • a? 

— 4 • 07 • 06 — 6 • 07 * 05 8 • 07 4- 8 • 07 • Og 4* 8 • ay • as • as — 8 • 07 • ag 4- 2 • 07 * 05 

4- 4 • 07 • 05 — 8 • ag — 4 • Og • 05 4- 12 • Og 4- 2 • 06 • 05 4- 4 • 06 • 05 4- 05 4- 3 • 05 — 4 

A single run with these parameters took around 10 seconds. The size of the 
matrix, determined by the number of monomials involved, is 408 x 408. 

This relation poses some interesting questions; since the equation is of degree 
at least 3 in each of the variables, in general there will not be a unique solution 
for the variable 0 . 5 , given values for the ag, . . . , a§. Moreover, the polynomial is 
irreducible when we consider it as a polynomial in F[ai \ for all i G {9, 8 , 7, 6 , 5}, 
with F the field of rational functions in the other four variables. 


Looking beyond XTR 61 


Using this — impractical — relation, an improvement factor of 10/4 is 
achieved; less than in XTR but more than in LUC. 


Example 11. k = 12, 24 | 

For k = 12 and d = 1 we found polynomials Qr and Qe expressing 07 and a@ in 
an, ... , as; these polynomials are of weighted degree 15 and 18 respectively. As 
in the previous case they contain powers of 07 and a$ greater than 1. 

For k = 24, d = 2 we found the same relations as for k = 12, d = 1. 


Example 12. \k = 30 | 

Finally, the most interesting case. 


k 

d 

e 

im/d 1 • d 

Prop. 1 

30 

1 

30 

8 

15 

30 

2 

15 

8 

14 

30 

3 

10 

9 

15 

30 

5 

6 

10 

10 

30 

6 

5 

12 

12 

30 

10 

3 

10 

10 

30 

15 

2 

15 

15 


As before we compare the conjectured and proven bounds on the number of 
elements of F p that suffices. This shows that three cases of Conjecture Q] are still 
open. A quick run of Algorithm El showed that Conjecture El is false in each of 
the three cases (3, 10), (2, 15) and (1,30). 

The table also shows that to prove Conjectured for k = 30 we either need 
to prove that 8 elements of ¥ p or 4 elements of F p 2 will suffice to generate all 
coefficients. Our further search for relations in these cases had no success either; 
the search bounds are given below. 


P 

k 

d 

u 

w 

#s 

1009 

30 

1 

8 

27 

10269 

1009 

30 

1 

11 

24 

6720 

1009 

30 

1 

14 

25 

9012 

71 

30 

2 

4 

10 

3616 

71 

30 

2 

5 

6 

1920 

101 

30 

2 

6 

7 

5760 


The last column lists the number of monomials taken into consideration and 
hence the number of minimal polynomials generated. Note that these results 
(for d = 2) refer to a modification of Algorithm d discussed in Section El to 
include conjugates of the coefficients. 

For the remaining open cases (see the table below) we searched for relations in 
vain. For each line in the table we ran Algorithm Q for every u in the range 
from the conjectured value (inclusive) up to the proven bound (exclusive). For 
values of k exceeding 20 we ran Algorithm O only with w = u + 1 (thus only 
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testing Conjecture 0) , while for k < 20 we went further (in an attempt to prove 
Conjecture 0, by taking w = 2(u + 1) or even w = 3 (u + 1). 

When d > 1 we also ran the modified algorithm, taking the conjugates into 
account; only in the cases k = 21, d = 3, u = 5, and k = 27, d = 3, u = 6,7 
the resulting computation involved square matrices that were too large for us to 
deal with. The conjectured improvement factors in both cases are less than 2. 

The table lists all 25 cases with de < 30 for which Proposition 0 and Ex- 
ample El do not provide a proof of Conjecture 0 It fists the value \(j>{k)/d\ for 
u* d predicted by Conjecture 0 the correct value as obtained by our experiments, 
and the upper bound S/d implied by Proposition 0 (cf. Table 1). 


k 

M 

r m/d] 

u *d 

S/d 

k 

(d,e) 

imw 

u *d 

S/d 

9 

(1,9) 

6 

8 

8 

24 

(1,24) 

8 

12 

12 

10 

(1,10) 

4 

5 

5 

24 

(2,12) 

4 

6 

6 

12 

(1,12) 

4 

6 

6 

24 

(3,8) 

3 

4 

4 

14 

(1,14) 

6 

7 

7 

25 

(1,25) 

20 

24 

24 

15 

(1,15) 

8 

14 

14 

26 

(1,26) 

12 

13 

13 

15 

(3,5) 

3 

4 

4 

27 

(1,27) 

18 

26 

26 

18 

(1,18) 

6 

9 

9 

27 

(3,9) 

6 

6,7,8 

8 

18 

(2,18) 

3 

4 

4 

28 

(1,28) 

12 

14 

14 

20 

(1,20) 

8 

10 

10 

28 

(2,14) 

6 

7 

7 

20 

(2,10) 

4 

5 

5 

30 

(1,30) 

8 

15 

15 

21 

(1,21) 

12 

20 

20 

30 

(2,15) 

4 

7 

7 

21 

(3,7) 

4 

5,6 

6 

30 

(3,10) 

3 

5 

5 

22 

(1,22) 

10 

11 

11 







Theorem 2. Conjecture^ is false for all pairs (d,e) covered by the table, with 
the possible exception of the case (3,9). For all (d, e) with de < 30, with (3,7) 
and (3, 9) possibly excepted, the true value of u* d equals the upper bound implied 
by Proposition 0 Moreover, Conjecture^ is false for k = 30, 21, 15, i.e. the cases 
< 30 not covered by Proposition 0 

8 Conclusion 

Based on generalisations of the LUC and XTR methods we have formulated pre- 
cise and verifiable versions of the Brouwer-Pellikaan- Verheul conjecture posed in 
PJ. By experiment we have shown that it is unlikely that a compact repre- 
sentation of elements exists in extension fields of degree thirty, providing some 
evidence that XTR cannot be improved with respect to compactness of repre- 
sentation. 

Our experiments leave open the possibility that the conjectures hold with 
polynomials of large degree, which most likely would be of no practical value. 
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Abstract. A metering scheme allows a correct counting on the number 
of hits that a Web site received during a certain period. In this paper, 
we first derive tight lower bounds on the communication complexity \Vi\ 
( i st . . . . ,n) and the size of server’s secrets |£l s | for robust and perfect 
(k,n )- metering schemes. We next show an almost equivalence between 
(k, n)-metering schemes and fc-multiple-use A 2 -codes. Finally, by using 
this equivalence, we derive lower bounds on \Vi\ and |A S | for robust (but 
not necessarily perfect) (fc, n)-metering schemes. 


1 Introduction 

A (k, n)-metering scheme allows a correct counting on the number of hits that a 
Web site received during a certain period. That is, a Web server S can compute a 
proof if and only if k or more clients visited S during a certain period. Naor and 
Pinkas proposed the first cryptographically secure (k. «)-metering scheme [1]. 
Ogata and Kurosawa showed that their scheme is not as secure as they claimed 
and presented a more secure scheme [2] . 

More specifically, there exist four kinds of participants, a Web server S, 
n clients Ci, ... ,C n , an audit agency A and an outside enemy £ in this model, 
clients are monitors and the outside enemy is not.) We then require the following 
three kinds of security. 

Security against Servers. A malicious Web server S tries to forge a proof 
from only k — 1 or less shares (authenticators) of clients and to cheat A. 
Hence S should not be able to inflate her hit counts. (There appears to be 
no way to detect whether S is deflating her hit counts.) 

Security against Clients. Malicious clients try to forge an illegal share which 
would be accepted by S, but would not allow <S to compute the correct proof. 
Hence S must be able to detect illegal shares forged by clients. 

Security against Outside Enemy. An outside enemy £ tries to forge a (legal 
or illegal) share which would be accepted by S. If it is legal, it causes a 
counting error because he is not a monitor. If it is illegal, it does not allow S 
to compute the correct proof. Hence S must be able to detect a share forged 
by£. 

Y. Zheng (Ed.): ASIACRYPT 2002, LNCS 2501, pp. 64-80, 2002. 

© Springer- Verlag Berlin Heidelberg 2002 
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We say that a (k, n)-metering scheme is 

— robust if it satisfies all the three security requirements. 

— non-robust if it satisfies only the security against servers. 

We further say that a ( k , n)-metering scheme is perfect if S gains no information 
on proof from any k— 1 or less shares. (It is interesting that the metering schemes 
proposed so far are all perfect.) 

For non-robust and perfect metering schemes, a lower bound on the commu- 
nication complexity |V)| (i = 1, . . . ,n) was shown by De Bonis, B. Masucci [4] 
and by Masucci and Stinson [3], where V) is a set of possible values v- t which is 
sent by client C, to S when C, has access to S. (They considered a more general 
model than ours such that there are multiple Web servers and there exists a 
ramp structure among clients.) 

However, non-robust metering schemes are not practical. We cannot assume 
that clients are all honest. We cannot assume that there is no outside enemy, 
either. 

In this paper, we derive lower bounds on the communication complexity |V)| 
(i = 1 ,...,n) and the size of server’s secrets |/5*| for robust (k, n)-metering 
schemes. 

We first derive lower bounds on |V)| and \E S \ for “perfect and robust” ( k,n )- 
metering schemes by using counting arguments. We also present a slightly mod- 
ified version of the Ogata-Kurosawa scheme [2] and prove that it satisfies all the 
equalities of our bounds. This means that our bounds are all tight. 

We next show an almost equivalence between robust (k, n)-metering schemes 
and fc-multiple-use A 2 -codes such that we can always construct a /e-multiple- 
use A 2 -code from a (k. n)-metering scheme, and in some cases, we can do the 
reverse. By using this equivalence, we derive lower bounds on |V)| and | E s | for 
robust (but not necessarily perfect) ( k , n)-metering schemes. This equivalence is 
of independent interest because no relationship has been known between them 
so far. 



Lower bound on |V)| 

Lower bound on |£7 S | 

Non-robust and perfect 

[4,3] 

Meaningless* 

Robust and perfect 

This paper 

This paper 

Robust 

This paper 

This paper 


(For *, see the last paragraph of Sec. 2. 5.) 

2 Preliminaries 

2.1 Model of Metering Schemes 

A ( k , n)-metering scheme consists of three phases. 

Initialization Phase: An audit agency A first generates a proof, a secret key 
e s of the Web server S and a share Vi of client C, for i = l .... ,n. A then 
gives e s to S and v., to C, for i I , n secretly. 
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Communication Phase: If C t wants to see the Web page of S, he sends v t to 
S. S accepts (i,Vi) iff e s (i,Vi) = 1. 

Proof Computing Phase: If k or more clients visited S during a certain pe- 
riod, then S can compute the proof from the k shares she received. 

Let Proof, E s and V) be sets of possible values of the proof, server’s key and 
Ci s share. It is desirable that | E s | and \V,\ are small. Let Proof ,E S and Vi be 
the random variables distributed on Proof ,E S and V). 

( k , n)-metering schemes must satisfy the security against malicious servers, 
the security against malicious clients and the security against outside enemies. 
These security are defined in the following subsections. 

2.2 Security against Malicious Servers 

A (k, n)-metering scheme must be secure at least against malicious servers. A 
malicious server tries to forge a proof from only k — 1 shares of clients. Hence 
S should not be able to inflate her hit counts. (There appears to be no way to 
detect whether S is deflating her hit counts.) 

Formally, a malicious S corrupts some k — 1 clients C,;, , . . . , adaptively 
and then obtains their k — 1 shares. S next forges a proof' , hoping that proof' = 
proof. The cheating probability of this attack is defined by 

P s = max max Pr (Proof = proof'), 
proof 

It is required that Ps is negligible in any metering scheme. 

2.3 Perfect Metering Scheme 

We say that a metering scheme is perfect if S gains no information on proof 
from any k — 1 shares. Note that this is a stronger notion of security against 
server’s attack than saying only that Ps is negligible. 

Definition 1. We say that a (k,n) -metering scheme is perfect if 

Pr (Proof = proof \ E s = e s , , . . . , V ik _ 1 = v ik _ 1 ) = Pr (Proof = proof ) 

(1) 

for any e»., Vi, , v-i h _ and proof. 

It is interesting that the metering schemes proposed so far are all perfect. 


2.4 Robust Metering Scheme 

We say that a metering scheme is robust if it is secure against malicious clients 
and outside enemies as well as malicious servers. 

Malicious clients try to forge an illegal share which would be accepted by S, 
but would not allow S to compute the correct proof. An outside enemy tries to 
forge a (legal or illegal) share which would be accepted by S. If it is legal, it 
causes a counting error because he is not a monitor. If it is illegal, it does not 
allow S to compute the correct proof. 
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Clients’ Attack: Some (even all) clients collude and make a forged share v\ ^ 
Vi for some client C, . This attack will prevent S from computing the proof 
even if k or more clients visited S. (For example, one illegal share and k — 1 
honest shares yield an illegal proof that is rejected by A.) The cheating 
probability is defined by 

Pc = max max max Pr(<S accepts (i, v') \ Vi, . . . ,v„ are given). 

Outside Enemy’s Attack: An outside enemy is interested in his attack before 
S computes a proof. Therefore, it must send the forged share to S before 
S receives k shares. In other words, the outside enemy can observe at most 
k — 1 shares sent by clients before computing a forged share. To summarize, 
the outside enemy makes a forged share u' for some client C, by observing 
l < k shares of the other clients. The cheating probability of this attack is 
defined by 

Pk = max max max max 
o <i<k i u ...,ii 

Pr(<S accepts ( i , v') \ £ observes , . . . , V {, ). 

A metering scheme is called robust if Pc and Pe are negligible. 

2.5 Bounds for Non-robust Metering Scheme 

A lower bound on the size of |Vj| for non-robust and perfect metering schemes 
was shown by De Bonis, B. Masucci [4] and by Masucci and Stinson [3]. They 
considered a more general model than ours such that there are multiple servers. 
Proposition 1. [3, Corollary 3.9] In a non-robust and perfect (k,n) -metering 
scheme for multi servers, 

log 2 |K*| > B(Vi] > sH (Proof) 
where s is the number of corrupted servers. 

They also generalized their bound to ramp structures among clients. 

In non-robust metering schemes, S does not need to have any e s € E s to 
check the shares of clients because there exist no malicious clients and outside 
enemies. Therefore, a lower bound on \E S \ is meaningless in this case. 

3 Bounds for “Perfect and Robust” Metering Scheme 

Aon-robust metering schemes are not practical. We cannot assume that clients 
are all honest. We cannot assume that there is no outside enemy, either. 

In this section, we derive a lower bound on |V)| and a lower bound on \E S \ for 
perfect and robust ( k , n)-metering schemes. We also present a slightly modified 
version of the Ogata-Kurosawa scheme [2] and prove that it satisfies all the 
equalities of our bounds. This means that our bounds are all tight. 
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3.1 Lower Bound on |V^| 

Fix ii , . . . , ik arbitrarily. For each 1 < l < k, define 

V it = K | Pi(E a =e a ,Vi 1 =v il ,...,V il _ 1 =v il _ 1 ,Vi l =v il ) > 0}, 
% = {v u | ?r{V il =v il ,...,V il _ 1 =v il _ 1 ,V il =v it ) >0}, 
E s {v il ,...,v il ) = {e s | ¥r(E s =e s ,V il =v il ,...,V il =v il ) >0}. 

Note that V ik D V ik (e s ) 

Lemma 1. For any possible e s , v Zl , . . . , Vi k _ 1 , 

| Vi fc (e s , , . . . , > |Proo/|. 

Proof. Fix any possible e s , v Zl , . . . ,Vi k _ 1 arbitrarily. Then any proof G Proof 
can happen with positive probability in a perfect (k, n)-metering scheme. On 
the other hand, each v ik G . . . ,Vi k _ J must determine proof G Proof 

uniquely. This means that there exists an onto mapping from Vi k (e s ,-U;, , . . . ,Vi k _ 1 ) 
to Proof. Therefore, 

|^ifc(e s ,nj 1 , . . . , n, fc _ 1 )| > |Proo/|. 

□ 


Corollary 1. |Vi(e s )| > |Proo/| for any i. 

Theorem 1. In a perfect and robust (k,n) -metering scheme, 

M > IProo/KPe )- 1 


for any i. 

Proof. We will derive a lower bound on P E . Define 


,, , a / 1 if ^ G Vi(e 0 ) 

<f>(es,v z ) | g otherwise. 

Note that S accepts (i, Vi) iff v z G V t {e s ). Therefore, 
Y Pr(S accepts (/. t';» = Y Pr (e s )<?Ke s ,^) 

v.eVi ViEVi e s EE B 

= Y Pr ( es ) 

e s EE s ViEVi 

= Y lMo,)|F«(e*)| 

e s EE s 

> \Proof\ Y Pr ( e «) 

e s EE s 

= |Proo/|. 


(from Corollary 1) 


Pe > maxPr(<S accepts (i, v z )) > \Proof\/\Vi\. 


Therefore, 
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3.2 Lower Bound on \E a \ 

Define 


ALL = {(v 1 ,...,v k )\Pv(V 1 =v 1 ,...,V k = v k )>0}, 

ALL(e s ) = {(«!, . . . ,v k ) | Pr(4 = e s , Vi - . . . , V k = v k ) > 0}. 


Lemma 2. If the equality of corollary 1 holds for all i, then 
\ALL(e s )\ = \Proof\ k . 

Proof. From the equality of Corollary 1 and Lemma 1, 

\ Proof] = \V 2 (e s )\ > |V2(e s ,m)| > |Proo/|. 

Therefore, |V2(e s ,vi)| = |Proo/| for any v\ € V\(e s ). Hence, 

|{(m,t; 2 ) | Pv{E s =e s ,V\=v\,V 2 =v 2 ) > 0}| = |Vi(e s )| x \V 2 (e s , Vl )\ = \Proof\ 2 . 
By repeating this process, we have |ALL(e s )| = |Proo/| fe . □ 

Lemma 3. \Vi l+1 {vi x , . . . ,Vi,)\ > |Proo/|(PE) _1 for 1 < l < k — 1. 


Proof. Similar to the proof of Theorem 1. Suppose that an outside enemy £ ob- 
serves l shares sent by clients, say C tl , . . . , C it . Let their shares be v = (u,-, , iq,). 

Define 


1 if v ll+l e V il+1 (e s ) 
0 otherwise. 


Note that <S accepts (i; + i,v, i+1 ) iff Vi l+1 £ h* i+1 (e s ). Therefore, 


^ Pr(<S accepts (ii + \,Vi l+1 ) \ £ observes v) 

= X] Pr ( e « I v)(t){e s ,Vi l+1 ) 

Vi l+i eV il+ 1 (v) e a eE B (v) 

= y Pr(e s | v) y (j>{e a ,v il+1 ) 

e a eE s (v) Vi l+ 1 ev il+1 w 

= y Pr(e s |n)|y ii+1 (u)nF ii+1 ( es )| 

e a £E s (v) 

= y Pr(e s | v)\Vi l+1 {e s ,v)\ 

e a £E a (v) 

> |Proo/| Pr(e s | v) (from Lemma 1) 

e a £E a (v) 

= | Proof \. 


Therefore, 


Pe > \Proof\/\V il+1 (v)\. 
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Lemma 4. \E s (vi, . . . ,Vk)\ > Pq 1 ■ 

Proof. Consider the following attack of k clients Ci, ... ,Ck- Let their shares be 
v = (vi ,... ,Vk). First, they choose e' € E a (v) such that 

Pr(e' I v) = max Pr(e 5 I «). 

e s eE s (v) 

Next they choose v[ randomly from V\{e' s , v 2 , . . . , Ufc) \ { t’l}. Finally C\ sends v[ 
to S. Clearly, this attack succeeds if S has e' s . Therefore, 

Pc > Pr(<S has e' s \ v ) = max ^Pr(e s | v) > l/|£ s (v)|. 

□ 

Lemma 5. \ALL\ > \Proof\ k (P^.)~ 1 . 

Proof. First from Theorem 1, 

N > | Proof\{P E )-\ 

Next from Lemma 3, 

|F 2 (m)| > \Proof\iPE)- 1 

for each e V\. Therefore, 

|{(m,n 2 ) I Pr(Vi = v u V 2 = Va) > 0}| > \ProofWP%)- 1 . 

By repeating this process, we obtain that |ALL| > \Proof\ k {P^)~ 1 . □ 

Theorem 2. Suppose that the equality of Corollary 1 holds for all i and e s . 
Then in a perfect and robust {k,n) -metering scheme, 

\e s \ > (PcP^r 1 . 

Proof. First from Lemma 2, 

E \ALL(e s )\ = \E s \\Proof\ k . 

e,6B, 


Next 

E \E s {vi,...,v k )\>\ALL\Pc 1 

> \Proof\ k (Pfe)- 1 (Pc) -1 


(Lemma 4) 
(Lemma 5). 


On the other hand, it is easy to see that 

E \ALL(e s )\ = E \E s (vi,...,v k )\. 

e*eE a (i-i, ■•...» 


Therefore, 


\Proof\ k (P^)~ 1 (Pc)~ 1 
\ Proof \ k 


( P%Pc )“ 1 . 
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3.3 Modified Ogata-Kurosawa Scheme 

We next present a slightly modified version of the Ogata-Kurosawa scheme [2] 
and prove that it satisfies all the equalities of our bounds. This means that our 
bounds are all tight. 

The modified Ogata-Kurosawa scheme is described as follows. Let p> n be 
a large prime number. 

Initialization Phase: 1. An audit agency A chooses a random number r € Z p 
and two random polynomials fo(y) and fi(y) with degree at most k - 1 
over GF{p). 

2. Let proof = /i(0). 

3. A gives e. s = ( r,g(y )) to the Web server <S, where 

g(y) = fo(y) + rfi(y). 

4. A gives Vi = ( fo(i ), to client Cj for 1 < * < n. 

Communication Phase: If C, wants to see the Web page of S, he sends i;,; = 

(a, b) to S. S accepts ( i , (a, b)) iff 

g{i) = a + rb. (2) 

Proof Computing Phase: If k or more clients visited S, then S can compute 
proof = /i(0) by using Lagrange formula. 

In the above scheme, it is clear that 

\ Proof] = p, |£ s | = p k+1 , |V-| = p 2 

for each i. We then prove the following theorem. 

Theorem 3. The modified Ogata-Kurosawa scheme is perfect and 

Pc = Pe = 1 /P- (3) 

Proof Note that the secret key of A is K = (r, fo(y), fi (y))- 
1. For simplicity, let i\ — 1, . . . ,ik- 1 = k — 1. Fix 

e s = {r,g(y)),vi = (ai,bi),...,v k -i = (a fc _i,6 fe _i) 

arbitrarily. We will show that there exists a unique (/o(:yj, fi(y)) for each 
value of proof. Fix proof arbitrarily. First there exists a unique fi(y) such 
that 

/i(0) = proof , f±(l) = 6i, . . . ,/i(fc - 1) = b k - i 
because deg(/i) is at most k — 1. Next fo(y) is uniquely determined as 
fo(y) =g{y)-rh{y) 

because e s = (r, giy)) is fixed. Therefore, each value of proof is equally likely 
to happen for any fixed e s , v ±, . . . , v k -i. This means that 

Pr (Proof = proof \ e s ,vi,..., v k -i) = 1/p = Pr (Proof = proof). 


Hence the scheme is perfect. 
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2. Fix 

V! = (a 1 ,b 1 ),...,v n = (a n ,b n ) (4) 

and i £ {1, . . . , n} arbitrarily. Let Bo be the set of K = (r, fo(y), fi{y)) such 
that eq.(4) holds. For v' = ( a',b ') such that ( a',b ') ^ (a*, &*), let By be a 
subset of B 0 such that S accepts (i, v r ). Then 

Pc = maxPr(<S accepts ( i,v ') \ vy, . . . ,v n ) = max \By\/\B 0 \. 

We will compute |i?o| and | | . First since fo('y) and fy(y) are uniquely 

determined from eq.(4), we have 

\B 0 \ = \{r}\=p. 

Next since S accepts (i,v'), g(i) = a' + rb'. On the other hand, from eq.(2), 
g{i) = a,i + rbi . Therefore, 

ch + rbi = a' + rb', 
r(bi — b') = a' — ay. 

The above equation has at most one solution on r because (a', b') ^ (a*, b t ). 
Therefore, max | IT | = 1. Hence 

P C =max|B 1 |/|Bo| = 1/p- 

3. For simplicity, let Z = k — 1 and iy = 1, . . . , ik-i = k — 1. Fix 

ui = (aq .by) , u fc _i = (o fc _i, b k -i) (5) 

and i(> k) arbitrarily. Let B 0 be the set of K = (r, fo(y), fi(y)) such that 
eq.(5) holds. For v' = ( a’,b ') let By be a subset of B 0 such that S accepts 
(i,v r ). Then 

Pe = maxPr(<S accepts (i, v') \ Vi Vk-i) = max |Bi|/|Ho|. 

We will compute |i?o| and | B-i | . First since fo(y) and fi(y) are uniquely 
determined from the values of fo(0) and /i(0), we have 

|So| = |{r,/o(0),/i(0)}|=p 3 . 

Next g(i) = a' + rb' if S accepts On the other hand, g(i) = fo(i) + 

rfy(i). Therefore, 

fo(i) + rfy(i) = a' + rb'. 

In the above equation, fo(i) is uniquely determined from each values of 
(r,fy(i)). (Note that fo(y) and fy(y) are uniquely determined from each 
values of fo(i) and Therefore, 

\By\ = \{r,fy(i)}\=p 2 . 


Hence 


m/m = i /p. 
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It is now easy to see that all the equalities of our bounds are satisfied by the 
above scheme. 

(Remark) In the original Ogata-Kurosawa scheme, proof = /o(0) and r is ran- 
domly chosen from Z p \ {0}. Therefore, Pc = l/(p— 1) and | E s | = {p 1 )p k . 

4 Lower Bounds for Multiple-Use A 2 -code 

For multiple-use A 2 -codes, Wang, et.al. derived a lower bound on the cheating 
probabilities and a lower bound on the size of keys [8]. (See Appendix A.) How- 
ever, their bound on the size of keys holds under the condition that the cheating 
probabilities satisfy their lower bound (see Proposition 3). We can not derive a 
lower bound on the size of authenticators from their result, either. 

In this section, we first define the cheating probabilities in a different way 
from [8] . We then derive a lower bound on the size of keys which holds for any 
values of the cheating probabilities. We derive a lower bound on the size of 
authenticators, also. 

The result of this section will be used in the following sections. 


4.1 Multiple-Use A 2 -code 

In the model for unconditionally secure authentication codes (A-codes), the 
transmitter T and the receiver 7 2 use the same encoding rule to protect their 
communication from deception of an outside enemy O. 

An authentication code with arbitration (A 2 -code) enables to authenticate a 
message sent by T to 72 even if T and 7 2 do not trust each other [6, 7]. A 2 -code 
includes the fourth person called an arbiter A', who solves disputes between T 
and 72- 

In this paper, we consider A 2 -codes which are used to send multiple messages. 
If T can use an A 2 -code to send k — 1 messages to 72 which are authenticated, 
then we call the code a k-multiple-use A 2 -code. 

A fc-multiple-use A 2 -code consists of three phases. 

Initialization Phase: An arbiter A' first generates a secret key e t of T and a 
secret key e r of 72. A! then gives e t to T and e r to 72 secretly. 
Communication Phase: For a source state s, T computes an authenticator 
a = et(s). T then sends nn = (s, a) to 72, where m is called a message. 72 
accepts m = (s,a) as authentic iff e r (s,a ) = 1. 

Dispute Phase: On dispute between T and 72, A! accepts rn = (s, a) as au- 
thentic iff a = et(s). 

Define E t = {e t },E r = {e r },M 4 {rn},S = {s} and A = {a}. Let E t ,E r , 
M, S, A be the random variables distributed over E t , E r . M, S, A, respectively. 
In the model of fc-multiple-use A 2 -codes, there are three kinds of attacks. 
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Transmitter’s Attack: T sends a message m = (s, a) to the receiver 72. and 
denies having sent it. T successes if m is accepted by 72. as authentic and 
a ± e t (s). 

Receiver’s Attack: 72 receives less than k messages and claims to have re- 
ceived a new message m! = (s' , a'). 72 successes if a ' = et(s'). 

Outside Enemy’s Attack: An outside enemy O observes i < k messages sent 
by T, and then substitutes the last one with a forged one m! = (s', a'). O 
successes if e r (s',a') = 1. 

We define the cheating probabilities of fc-multiple-use A 2 -code as follows, 
where P R , Pr, and Pq, denote the cheating probabilities by T, 72 and O, re- 
spectively. 

Pr. = E ( max Pr(a' = e t (s') I T sent mi 

m,} 

Poi = E ( max Pr(72 accepts m! \ T sent mi 
Vn'gfm 

where 0 < i < k — 1. Let 

Po = jnax P Qi , Pr = P Ri . 



4.2 Lower Bounds 

In this subsection, we present a lower bound on the cheating probabilities defined 
as above. It is a generalization of a lower bound for usual A 2 -codes given by 
Johansson [10]. 

Theorem 4. 


P T > 2 -tf(-W> 

p > 2- H (Et\M 1 ---M i ,E r )+H(E t \M 1 ---M i+1 ,E r ) 
p Q > 2~ I (E r -,E t \M 1 -M i )+I(E r -,E t \M 1 -M i+1 ) 

The proof will be given in the final paper. We then obtain a lower bound on the 
size of keys as follows. 

Theorem 5. If S is uniformly distributed, then 

\Et\ > (P R Po)- k , \E r \ > (PtP&)-\ |A| > (. PrPo r 1 . 

Proof. From Theorem 4, 

(. P R ) k > (P Ro ---P Rk _ 1 ) > 2~ H &t\Er)+H(E t \Mi-M k ,E r ) 
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(. P 0 ) k > (P 0 o • • • Po k - 1 ) > 

{P 0 PR) k > 2- h (^)+ h (^I^-**) 

> 2 --ft(4) 

\E t \ > 2 H > ( P 0 P R )~ k ■ 

The second bound can be derived similarly. 

The bound on \A\ is derived as follows. 

|M| > 

_ 2 H (M\E r )2 I (M;E r -,E t )2l(M-,E t \E r ) 

> 2 H (S)2 I (,E r ;E t )- I (E r -,E t \M)2H(E t \E r )- H (E t \M,E r ) 

From Theorem 4, it holds that 

2 /(K r ;/> { ) /(K r ;K ( .A/) > i/p 
2 H(E t |^)-H(Bt|M,E r ) > 


Therefore, 

|M| > 2 h ^/P 0o P Ro = \S\/P 0o P Ro , 

|T| = \M\/\S\ > (PoPr)- 1 - 

□ 

We can see that the above bounds are tight because there exists an A 2 -code 
which satisfies all the equalities of them (see appendix B). 

5 Almost Equivalence 

In this section, we show an almost equivalence between robust ( k , n)-metering 
schemes and fc-multiple-use A 2 -codes such that we can always construct a k- 
multiple-use A 2 -code from a (k, n)-metering scheme, and in some cases, we can 
do the reverse. 

In what follows, we define the cheating probability of clients and the cheating 
probability of outside enemies as follows. 

Pc = E |max max Pr(<S accepts (i, t>') | V\. , v n are given) ^ , 

where E is taken over tq, . . . ,v n . 

Pe = max E ( max Pr(<S accepts (i, v[) I £ observes r;. ■<;,.)] , 

where E is taken over i\ , . . . , ii and v^, ... ,Vi r 

The cheating probabilities of /c-multiple-use A 2 -codes are defined in the pre- 
vious section. 
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5.1 Metering Scheme Implies a Multiple-Use A 2 -code 

First, we show that a (fc, n)-metering scheme implies a fc-multiple-use A 2 -code. 
Wlog, suppose that % C V, where |V| = max., \ Vi\. 

Theorem 6. If there exists a ( k , n)-metering scheme with (Proof, E s , {Vi}) and 
(. Pc,Ps,Pe ), then there exists a k-multiple-use A 2 -code with ( E t ,E r ,S,A ) and 
(. P T ,P R ,P 0 ) such that 

Pt = Pc- Pr < Psi Po = Pe, 

E t = V 1 x---xV n , E r = E s , S' = {1,2, , n}, A = V. 

Proof. Suppose that there exists a (k, n)-metering scheme with (Proof, E s ,{Vi}) 
and (Pc,Ps,Pe)- We then construct a /e-multiple-use A 2 -code as follows. 

Initialization Phase: The arbiter A' first runs the audit agency A of the 
(k, n)-metering scheme to generate proof, e s and (ui, . . . ,v n ). A! then gives 
et = (v i, . . . , v n ) to T and e r = e s to TZ secretly as their secret keys. 
Communication Phase: For a source state i 6 {1, . . . , n}, T sends a message 
m = (i, to 1 Z, where v, is the authenticator for i. 

Dispute Phase: On dispute between T and 1Z, A! accepts rn = ( i,a ) as au- 
thentic iff a = Vi. 

It is clear that E t = Vi x • • • x V n , E r = E s , S = {1, 2, . . . , n}, A = V. 

Next it is easy to see that an outside enemy’s attack on the (k, n)-metering 
scheme can be directly used as an outside enemy’s attack on the fc-multiple-use 
A 2 -code and vice versa. Therefore, Po = Pe- 

A clients’ attack on the (k, n)-metering scheme is that all clients collude and 
make a forged share v' s ^ v s . In other words, from given (1, m), . . . , (n, v n ), they 
make v' s ^ v s for some s, hoping that it is accepted by S with her secret key 
e s . Then it is easy to see that this attack can be directly used as a transmitter’s 
attack on the fc-multiple-use A 2 -code. Therefore, Pt > Pc- It is easy to see that 
the converse part is also true. Hence Pc > Pt- Therefore, Pt = Pc- 

Suppose that there exists a receiver’s attack R a ttack on the fc-multiple-use 
A 2 -code with success probability Pr. Then we consider a server’s attack on the 
(fc, n)-metering scheme as follows. Suppose that l < k clients C,,,... , C it visited 
S. S runs R a ttack ° n input e r and l messages (*i, UjJ, . . . , (*j, u*,). R a ttack outputs 
a new message m = (s, v s ) for some s 0 {i\, . . . , i{\. S next corrupts k — l — 1 
clients Cj 1+1 , . . . , C lk _ l other than {i\, . . . , it, s} and obtains their shares. Then 
S obtains fc shares v^, ... and v s in total. Therefore, S can compute 

the proof from the fc shares. This attack succeeds with probability Pr. Hence, 
Ps > Pr- 'a 


5.2 Weak Converse 


Next, we show a weak converse of Theorem 6. 
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Lemma 6. In a k-multiple-use A 2 -code in which \E t \ satisfies the equality of 
the bound in Theorem 5, the transmitter’s key is determined uniquely from k or 
more valid messages. 

Proof. From the proof of Theorem 5, We obtain 

(PoP R ) k > 2 - H (v t )+mE t \ti 1 -M k ) ' 

The equality of the bound holds only if H(E t \ Mi ■ ■ ■ M k ) = 0. This means that 
e t is determined by k messages. □ 

Theorem 7. If there exists a k-multiple-use A 1 -code with (Et, E r , S, A) and 
(Pt, Pr,Po) such that \E t \ satisfies the equality of the bound in Theorem 5, then 
there exists a (k,n) -metering scheme with (Proof ,E s ,{Vt}) and (Pc,Ps,Pe)> 
such that 


Pc = Pt, Ps < Pr , Pe = Po 

E s = E r , n= |S| - 1, Proof = Vi = ■ ■ ■ = V n = A. 

Proof. (Sketch) Using a fc-multiple-use A 2 -code, construct a metering scheme 
described as follows. A chooses so £ S and sets proof = e t (so). Each client C, 
receives vt = e t (si) where S = {so> 

If \E t \ satisfies the equality of the bound, e t is determined uniquely from k or 
more valid messages (from Lemma 6). Then the server can obtain proof = e t (so) 
if he has been visited by k or more clients. The rest of the proof is similar to 
Theorem 6. □ 

6 Lower Bounds for Robust Metering Scheme 

In this section, we derive a lower bound on |V)| and a lower bound on | E s \ 
for robust (but not necessarily perfect) (k, n)-metering schemes by using our 
relationship between metering schemes and multiple A 2 -codes (and our lower 
bounds for A;- multiple- use A 2 -codes of Sec. 4). 


6.1 Bounds for Robust Metering Schemes 

From Theorem 5 and Theorem 6, we immediately obtain a lower bound on the 
size of keys for (k, n)-metering schemes as follows. 

Corollary 2. In a (k,n) -metering scheme, if each client visits the Web severS 
with equal probability, then 

max | Vi | ^(PsPe)- 1 , \E s \> (P c P%)-\ 

Corollary 2 is tight because the Ogata-Kurosawa metering scheme satisfies 
all the equalities of the bound (see Sec. 3. 3). 



78 


Wakaha Ogata and Kaoru Kurosawa 


6.2 Bound on P E 

We can remove P E from the above bound by using Theorem 8. 

Theorem 8. In a (k,n) -metering scheme, 

Pe < Pc + Ps- 

Proof. (Sketch) From the definition of P E , 

Pe < max E |max Pr(<S accepts (i, v[) A C* has v\ \ S observes , . . . , v^, ] 

+ max E |max Pr(<S accepts (i, v[) A >(C; has v'f) \ S observes t>,:, , 

The first term of the right hand is equal or less than Ps, while the second term 
is equal or less than P E . □ 

Corollary 3. In a {k,n) -metering scheme, if each client visits the Web severS 
with equal probability, then 

max | VS | > ( P s (Ps + Pc))~ l , 1^1 > ( Pc(Ps + PctT 1 - 

7 Conclusion 

In this paper, We first derived lower bounds on |VS| and | E s \ for “perfect and 
robust” (k, n)-metering schemes by using counting arguments, where |V)| (i = 
1, . . . ,n) is the communication complexity and and |f?, | is the size of server’s 
secrets. We also presented a slightly modified version of the Ogata-Kurosawa 
scheme [2] and proved that it satisfies all the equalities of our bounds. This 
means that our bounds are all tight. 

We next showed an almost equivalence between robust (k, n)-metering 
schemes and fc-multiple-use A 2 -codes such that we can always construct a k- 
multiple-use A 2 -code from a (k, n)-metering scheme, and in some cases, we can 
do the reverse. By using this equivalence, we derived lower bounds on |V)| and 
| E s | for robust (but not necessarily perfect) (k, n)-metering schemes. This equiv- 
alence is of independent interest because no relationship has been known between 
them so far. 
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A Bounds for Multiple-Use A 2 -code by Wang et al. 


Wang, Safavi-Naini and Pei defined the cheating probabilities of fc-multiple-use 
A 2 -codes as follows, where P t , P ri and P Qi denote the cheating probabilities by 
T, TZ and O, respectively. 


Pr(7£ accepts m! \ T sent mi, . . 


They then showed a lower bound on the cheating probabilities and the size 
of keys as follows. 

Proposition 2. [8, Theorem 3.1, 3.2, 3.3] 

p > 2H(E r \M,E t )-H(E r \E t ) 
p > 2- H (Et\M 1 ---M i ,E r )+H(E t \M 1 -..M i+1 ,E r ) 

Proposition 3. [8, Theorem ].l, 4.2] IfP 0i and P ri achieve their lower bounds, 
then 

\E t \ > vnt1(44), (6) 

If P 0i ,P ri , 0 < i < k, and P t achieve their lower bounds, and the equality of 
eq.(6) holds, then 
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B Construction of Multiple-Use A 2 -codes 

Wang et al. showed that there exists a fc-multiple-use A 2 -code if there exists a 
certain combinatorial design [8]. However, they did not show an explicit con- 
struction of that design. Therefore, no explicit construction of fc-multiple-use 
A 2 -code is known. 

By substituting the modified Ogata-Kurosawa metering scheme into the proof 
of Theorem 6, we immediately obtain an explicit construction of a fc-multiple-use 
A 2 -code as follows. 

Let p be a large prime number. 

Initialization Phase: An arbiter A! chooses a random number r € Z p and two 
random polynomials fo(y) and fi(y) with degree at most fc — 1 over GF(p). 
Let e t = (fo(y),fi(y)) and e r = (r,g(y)), where g(y) = fo(y) + rfi(y). Then 
A! gives e t to T and e r to 7 2 secretly as their secret keys. 

Communication Phase: For a source state sGZ p , T sends to = (.s,/o(.s),/i (s)) 
to 72. 72 accepts to = (s, a, b) as authentic iff g(s) = a + rb. 

Dispute Phase: On dispute between T and 72., A! accepts to = (s, a, b) as 
authentic iff fo(s) = a and fi(s) = b. 

It is clear that \E t \ = p 2k , \E r \ = p k+1 , |A| = p 2 . From eq.(3) and Theorem 
6, it holds that Pt = 1/p, Pr < 1/p, Pq = 1/p. More than that, we can show 
the following lemma. 

Lemma 7. In the above k-multiple-use A 2 -code, P R = 1/p. 

Proof. 72. has a secret key e r = ( r,g(y )), where g(y) = fo(y) + rfi(y) for some 
fo(y ) and fi(y) with degree at most fc — 1. Suppose that 72 received mi = 
(si, Oi), . . . , TO; = (si, at). Let 

Fo = {(fo(y),h(y)) I g(y) = fo(y) + rh(y), 

where deg f 0 (y) < fc - 1, deg /i(y) < fc - 1}, 

Fi = {(fo(y),fi{y)) I ai = 

Then 72 knows that e t (= Fo H Fi . 

Next suppose that 72 claims that she received (s', a') such that s' £ {si, . . . y si}. 
If to' could be made by T, then a' = (fo(s'), fi(s'))- Let 

F2 = {(fo(y),fi(y)) I a' = (/o(s')>/i(y))}- 

Then, 

Pr(a' = e t (s')) = | F 0 n Fi O F 2 \/\F 0 0 F x | 

= p k-i-i /p k-i 

= 1/p- 

□ 

Then we see that our multiple-use A 2 -code is optimum and Theorem 5 is 
tight because our multiple-use A 2 -code satisfies all the equalities of Theorem 5. 
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Abstract. Anonymous channels or similar techniques that can achieve 
sender’s anonymity play important roles in many applications. However, 
they will be meaningless if cryptographic primitives containing his iden- 
tity is carelessly used during the transmission. 

The main contribution of this paper is to study the security primitives for 
the above problem. In this paper, we first define unconditionally secure 
asymmetric encryption scheme (USAE), which is an encryption scheme 
with unconditional security and is impossible for a receiver to deduce 
the identity of a sender from the encrypted message. We also investi- 
gate tight lower bounds on required memory sizes from an information 
theoretic viewpoint and show an optimal construction based on poly- 
nomials. We also show a construction based on combinatorial theory, a 
non-malleable scheme and a multi-receiver scheme. Then, we define and 
formahze group authentication code (GA-code), which is an uncondition- 
ally secure authentication code with anonymity like group signatures. In 
this scheme, any authenticated user will be able to generate and send 
an authenticated message while the receiver can verify the legitimacy 
of the message that it has been sent from a legitimate user but at the 
same time retains his anonymity. For GA-code, we show two concrete 
constructions. 


1 Introduction 

In many applications, there is a need to allow user or the author of the message 
to be able to transmit message without revealing his/her identity, e.g. electronic 
voting. A most commonly used cryptographic technique that is used to build an 
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actual implementation of these characters, is called anonymous channels | I9I1()I1| . 
However, if not carefully designed, i.e. when a sender uses encryption and au- 
thentication methods requiring the sender’s identity for decryption or message 
verification, these systems can be easily compromised, thus corrupting results 
or violating senders’ privacy. For example, if Diffie-Hellman key exchange (with 
certificates) JO] or (conventional) digital signatures are used, the receiver will be 
able to easily obtain information regarding the sender’s identity, and also may 
leave the message contents along with the identity of the sender open to perusal. 
In computationally secure setting, this problem can be solved straightforwardly 
by using (conventional) public-key encryption e.g. [24|1 T\ and group signatures 
pb shielding the sender’s identity. These schemes and the infrastructure within 
which they operate are restricted in scope that they rely for their security on the 
assumed computational difficulty of computing certain number-theoretic prob- 
lems, such as factoring large composites or solving discrete logarithms in large 
finite fields. However, this presumption no longer assures the security of compu- 
tationally secure schemes as the progress in computers as well as further refine- 
ment of various algorithms in near future make it computationally able to solve 
the larger size number-theoretic problems. Unfortunately, in unconditionally se- 
cure environment, in which no computational difficulty is assumed, there is yet 
no straightforward answer to this; all of the current existing schemes use mutual 
information between sender and receiver, and this mutual information is utilized 
as a shared communication key between them. This implies that the receiver has 
to know certain information regarding the sender in prior to selecting a shared 
secret, and this means, loss of anonymity. (This also implies that uncondition- 
ally secure public-key encryption scheme is essentially non-existing, since in the 
model of public-key cryptosystems, a sender and a receiver do not share mutual 
information between them.) As the increasing computational power approaches 
where security policy can no longer assume on the difficulty of computationally 
hard problems, it must shift its focus on assuring the solvency of uncondition- 
ally secure schemes that provides long-term security. Similar problem arises in 
authentication as well. In conventional authentication schemes, the identity of 
the sender is required for verifying integrity of a transmitted message. In order 
to protect the sender’s privacy in a computationally secure setting, group sig- 
natures dH was proposed and since then, group signatures has been greatly 
studied in the literatures. However, in unconditional setting, there has never ex- 
isted an authentication scheme that assures anonymity of the sender like that 
seen in the group signature schemes. For the importance of preparing for the 
eventual need of long-term security, unconditionally secure setting must be con- 
sidered a sine qua non for a security policy. The main contribution of this paper 
is to study models, bounds and constructions of novel security primitives on the 
above problem with no computational assumption. In this paper, we first define 
unconditionally secure asymmetric encryption scheme (USAE), which is an en- 
cryption scheme with unconditional security in which a receiver cannot obtain 
any information of the identity of a sender from the encrypted message. We 
also investigate tight lower bounds on required memory sizes from information 


Unconditionally Secure Anonymous Encryption and Group Authentication 


83 


theory and also show concrete constructions of USAE schemes based on polyno- 
mials and cover free family ESI USAE based on polynomials is optimal due to 
that it matches the lower bounds. We further show another construction from 
combinatorial theory, a non-malleable scheme and a multi-receiver scheme. We 
then, define and formalize group authentication code , which is an uncondition- 
ally secure authentication code with anonymity like group signatures. In this 
proposed scheme, any authenticated user will be able to generate an authenti- 
cated message and sends it to the receiver. The receiver is then able to verify the 
authenticity of the received message while maintaining the privacy of the user. 
Moreover, neither a recipient nor a group authority can obtain any meaningful 
information of the user who had generated the authenticated message, i.e. no one 
can link any message to the author who cast it. However, by cooperating with 
group authority, such as in the case of disputes, the receiver is able to obtain 
the sender’s identity. 


1.1 Related Works 

Unconditionally Secure Key Distribution Schemes For confidentiality without 
computational assumptions, unconditionally secure key distribution schemes are 
often utilized as suitable security primitives. Blom jSj made the first attempt 
to construct an unconditionally secure key distribution scheme using MDS lin- 
ear codes, and his idea was later generalized by Matsumoto and Imai [ 22 | , key 
predistribution schemes (KPS), who also proposed a simpler version of KPS, 
linear scheme. Blundo, De Santis, Herzberg, Kutten, Vaccaxo and Yung pro- 
posed a concrete construction of KPS for conference key distribution and inves- 
tigated lower bounds on required memory size for users and showed that their 
scheme, as well as Blom’s original scheme and Matsumoto-Imai’s scheme, all 
matched the lower bounds. Blundo, Mattos and Stinson Q, as well as Kuro- 
sawa, Yoshida, Desmedt and Burmester showed other interesting bounds on 
required memory sizes. In in depth survey of various constructions of KPS 
and corresponding properties has been investigated. KPS may seem to be the 
best building blocks for unconditionally secure communication systems, however, 
they are not suitable for certain applications e.g. electronic voting systems, that 
must ensure user’s anonymity; the identity of a sender is required for a recip- 
ient to generate the communication key. In all of the existing KPS hitherto, a 
sender and a receiver’s secret information must be used to generate the commu- 
nication key, and therefore, all of the currently existing schemes does not meet 
the security requirement for a system with anonymity. As far as we know, there 
has never existed an unconditionally secure key distribution scheme without a 
requirement of sender’s identity. 

Unconditionally Secure Authentication Schemes and Group Signatures. For a se- 
cure authentication without computational assumptions, unconditionally secure 
authentication codes (A-codes) [ 1 8127) may be considered which has been inten- 
sively studied in the literatures. An overall structure of A-codes is as follows. 
In the first stage of A-codes, a trusted authority generates secret information 
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for each of sender and receiver. Then, the sender generates an authenticated 
message by using his given secret information and transmits it to the receiver. 
Finally, the receiver verifies the validity of the authenticated message with his 
secret information. Here, no adversary succeed impersonation nor substitution 
attack even if the adversary has unlimited computational power. There has also 
been many attempts to modify A-codes with the aim of enhancing the codes 
with desirable properties other than anonymity, such as asymmetricity E51 and 
multireceiver-authenticity H2j. However, in none of these attempted modifica- 
tions, receivers were able to identify the sender of the message. Thus, there 
were no existing A-codes and their variants that were applicable concerning the 
protection of the sender’s identity, i.e. no anonymity. Though there are some 
unconditionally secure digital signature schemes f I UI2UI2tij that do exist, these 
schemes yet too, do not provide anonymity. However, in computationally secure 
settings, anonymity can be achieved by using group signatures [ I llXj . For a group 
signature, a user is able to prove that he is a legitimate user of the group by using 
his secret information given by a group authority, and in the case of a dispute, 
the group authority can identify the user from a published signature signed by 
the user. Group signature is therefore a suitable authenticating scheme that can 
be used especially in case where the privacy of the user has to be maintained. 
However, all the existing group signature schemes are based on computational 
assumptions and will be broken if certain computationally hard problems, e.g. 
discrete logarithm or factoring, are solved. 

1.2 Our Results 

We start this paper by defining unconditionally secure asymmetric encryption 
scheme (USAE) with formal definitions. USAE is an encryption scheme with 
unconditional security in which a receiver cannot gain any information of a par- 
ticular user from an encrypted message. We investigate from information theory, 
the lower bounds for the required memory sizes of a ciphertext, a sender and 
a receiver’s secrets. Further, we propose concrete constructions of USAE based 
on polynomials and also constructions based on cover free families. Polynomial 
based construction is optimal due to that it matches the lower bounds which in 
turn implies that the lower bounds are all tight. One important fact to mention, 
it is remarkable that these bounds that we show are considerably different from 
those in Shannon’s model for conventional unconditionally secure symmetric 
encryption. Comparison between polynomial-based and cover free family-based 
schemes are also made. In addition, we study an extension of USAE, that with 
non-malleability. More precisely, a formal definition of non-malleability, a con- 
crete non-malleable scheme and a security proof are investigated. Furthermore, 
another extension of USAE, for multiple-receiver setting, is shown. We continue 
by defining group authentication code (GA-code) with formal definitions. GA- 
code is an unconditionally secure authentication code with anonymity like group 
signatures. In GA-codes, any user in a group can generate an authenticated mes- 
sage and verify it as long as it has been sent from a legitimate user in a group. 
Moreover, a receiver is not able to obtain any meaningful information of a partic- 
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ular user who had generated the authenticated message. However, in the case of 
disputes, a receiver is able to obtain the sender’s identity by cooperating with a 
group authority. It is important to note here that group authority or the receiver 
by itself will be insufficient in obtaining to obtain any information regarding the 
user i.e. they must cooperate. We then show two concrete constructions of GA- 
code with formal security proofs. One construction is based on polynomials and 
the other on cover free families and A-codes. Organization of this paper is as 
follows: In section 2, we study the model, bounds and constructions for USAE. 
Polynomial based USAE construction is optimal due to that it matches the lower 
bounds. This in turn implies that the lower bounds are all tight. We also show 
other efficient and secure implementations of USAE. In section 3, we show model 
and concrete construction for GA-code with formal security proof. 

2 Unconditionally Secure Asymmetric Encryption 

In this section, model, security definition, lower bounds and concrete construc- 
tions of USAE are shown. One of our constructions is optimal in terms of re- 
quired memory sizes for a ciphertext, an encryption key and a decryption key. 
It should be noted that the definition that we use for “asymmetric encryption” 
in this paper is not equivalent to the meaning of “public-key encryption” in a 
general sense. Here, in USAE, “asymmetric” is used as a pair of encryption and 
decryption keys that are asymmetric, where an encryption key is not public. 


2.1 Model 

Since no computational difficulty is assumed in USAE, it is impossible for a 
sender to secretly transmit a message using only the public information. This 
means that in order to construct a USAE, a different assumption (rather than 
computational assumptions) will be required, e.g. existence of a noisy channel, 
that of a quantum channel, bounds of memory or threshold of the number of 
malicious users. For simplicity, we introduce the trusted initializer model £S], in 
which we assume a trusted initializer who honestly distributes each user’s secret 
in the initial phase and deletes his memory after the distribution of the secrets. 
We should note that the trusted initializer can be removed by using multi-party 
computation Pj if the number of malicious users is less than a third of the total 
number of users and there exists a private channel between each pair of users. 

In the model of USAE, there are n + 2 participants, a set of n senders 
{Si, • • • , S„}, a receiver R and a trusted initializer TI. TI generates encryption 
keys ei, • ■ ■ , e„ for Si, • • • , S n , respectively, and a decryption key d for R. After 
distributing these keys, TI deletes his memory. In order to send a plaintext m to 
R with confidentiality, s E {Si, • • • , S„} encrypts m by using e, ; and transmits a 
ciphertext c to R. R decrypts c by using d and recovers m. 
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2.2 Definition 

Here, we formally define the security of USAE. It should be noted that, in 
addition to confidentiality, anonymity of a sender is required for USAE. Let 
S , Si (i = 1, • • • ,n), V, M. and C denote the random variables induced by s, 
e* (i - 1, •••,«), d, m and c, respectively. For a random variable X, H(X) 
denotes the entropy of X. For X, let X := {x\ Pr(A = x) > 0}. |X| denotes the 
cardinality of X. We assume that at most k (0 < k < n — 1) authorized senders 
are mahcious. Then, the security of USAE is formally defined as follows: 

Definition 1. We say that (£j, • • • , £„, D, M, C) is a (k, n)-one-time USAE if 

1. R can correctly decrypt m from c, that is, H(M\C,D) = 0. 

2. Any set of k malicious senders has no information on m from c. Namely, 
for any set of k malicious senders {S',;, , • • • . S{ k } c {£ 1 , • • • , S n } such that 
s $ {Si, , ■ ■ • , Si H{M\C, S h , • • • , Si J = H (M ) . 

3. R obtains no information on the identity of s from c. Namely, H(S\C) = H(S). 

4. Additionally, we assume that a ciphertext c is uniquely determined from a 
plaintext m and an encryption key e, : , i.e. H(C\M, Si) = 0 for any i. 


2.3 Lower Bounds 

In this subsection, lower bounds on required memory sizes for a ciphertext, an 
encryption key and a decryption key in USAE are shown. These bounds are all 
tight since we also show a construction which matches them (see section 2.4, for 
details). Note that proofs of Theorem [0 0 and Lemma [Dare omitted, and will 
apear in the full version of this paper. We begin by showing a lower bound on 
the required memory size for a ciphertext. 

Theorem 1. In a (k, n)- one-time USAE, H{C) > H(M) + H(S'). 

Theorem 0 implies that the required memory size for a ciphertext is always larger 
than that for a plaintext by at least H(S) bits. Next is a lemma that shows the 
relationship between the required memory size for an encryption key e* and for 
a ciphertext c in USAE. 

Lemma 1. In a (k,ri)~ one-time USAE, H(Ei) > H(C), for any i. 

Lemma Q] implies that the memory size requirement for an encryption key in 
USAE is equal or greater than that for a ciphertext. This is also closely related 
to the famous Shannon’s result US That is, in unconditionally secure symmetric 
encryption, it is a well-known fact that the required memory size for an encryp- 
tion key is equal or greater than that for a plaintext, assuming that a ciphertext 
is uniquely determined from a plaintext and an encryption key. Now, a lower 
bound on the required memory size for an encryption key is shown. 

Theorem 2. In a {k,n)- one-time USAE, H(Si) > H(M) + H(S), for any i. 
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Proof. From Lemma [0 and Theorem |TJ we have H(£ t ) > H(M) + H(S) for any 
i. □ 

Theorem |2 implies that the required memory size for an encryption key is always 
larger than that for a plaintext by at least H(S) bits. Finally, we show a lower 
bound on the required memory size for a decryption key. 

Theorem 3. In a (k,n)- one-time USAE, H(T>) > (k + l)H(M) if the equality 
in Lemma 01 is satisfied for any i. 

Theorem Elimplies that the required memory size for a decryption key is (k + 1) 
times larger than that for a plaintext. 


2.4 Constructions 

Now, we show two concrete constructions of USAE. One of the constructions is 
based on polynomials over finite fields, and the other one on cover free family 
m The polynomial based construction is optimal in terms of required memory 
sizes for a ciphertext, an encryption key and a decryption key. For the cover free 
family construction, security parameters can be flexibly determined. 

In this subsection, we assume that the distribution of the sender is uniform, 
that is, Pr(<S = Sf) = ^ for any i (1 < i < n). 

Optimal Construction from Polynomials. Here, we show an optimal 
( k , n)-one-time USAE which meets all our bounds. This means that the lower 
bounds in the previous subsection are all tight. 

Definition 2. A ( k , n)-one-time USAE is optimal if one has equalities in The- 
orem Q El and 0 

Optimal (k, n)-One-Time USAE Based on Polynomials 

1 . Setting Up: Let [Jiff «* q, where q is a prime power and q > n. TI chooses a 
uniformly random polynomial f(x) = J 2 ,-o a i xl over GF(q). TI also chooses dis- 
tinct numbers b.; (1 < i < n) from a set B C GF(q') uniformly at random, where 
\B\ = n. B may be public to all players. Next, TI gives f(x) to R as his decryp- 
tion key, and also gives {6i, /(&i)}, {62, /(fo)}, ■ ■ ■ , {b n , f(b n )} to Si, S 2 , ■ ■ ■ , S n 
as encryption keys, respectively. TI deletes his memory after distributing the 
keys. 

2. Encryption: Sender Si encrypts m by c = {6j, c'}, where d := f{f>i) + m. 

3. Decryption: Receiver R decrypts c by f(x) as follows: m = d — f(x)\ x ~ bi . 

Theorem 4. The above scheme is an optimal (k,n)- one-time USAE. 

Proof. In the above scheme, H(C) = H(M)- t-log 2 n, H{£j) = H(M)- t-log 2 n (1 < 
i < n) and H(V) = (k + l)H(M). It is clear that the above scheme satisfies 
the first condition of Def. □ Suppose that colluders S n , S ik , such that S', 
{S^, ■ • • , Sj fc }, can obtain certain information on m from c. This implies that the 
colluders has certain information on /(6j). However, this is impossible because 
deg f{x) = k and the colluders knows only the k points of /( x). Hence, the above 


Goichiro Hanaoka et al. 


scheme satisfies the second condition of Def. |T] Finally, since, for a ciphertext 
c = {b, d} such that b £ B and d = f(b) +m, any of Si, ■ ■ ■ , S n can be a possible 
sender of the ciphertext from R’s point of view, and therefore, R can determine 
who the sender of the ciphertext is with probability at most 1/n. Hence, the 
above scheme satisfies the third condition of Def. [T] as well. □ 

Construction from Cover Free Family. Here, we show a construction of 
USAE based on cover free family H3 which allows a more flexible parameter 
setting than the polynomial based one. Namely, in cover free family based con- 
struction, it is possible to choose parameters n and \M\ with \M\ < n, while, in 
polynomial based construction, these two parameters must always be determined 
to be \M\ > n. 

Definition 3. Let L := {^ 1 , li, ■ ■ ■ , It} and F = {Fi,- ■ ■ ,F n } be a family of 
subsets of L. We call (L, F) an (n, t, k) cover free family (CFF) if F 0 <jt F t U ■ • • U 
F k for all F 0 , F u ■ ■ ■ , F k £ F, where F t + Fj if i ± j. 

A trivial CFF is the family consisting of single element subsets, in which case 
n = t. It should also be noted that there exist nontrivial constructions of CFF 
with n> t. Construction of CFFs is intensively studied in various areas of math- 
ematics such as finite geometry, design theory, and probability theory. Concrete 
methods for generating CFF are given in m- 
(k, ro)-One-Time USAE Based on (n, t, fc)-CFF 

1. Setting Up: TI first generates an (n, t, fc)-CFF such that each oft, (1 < i < t) 

is an element of GF(q), where M = GF(q). TI also chooses distinct numbers 
t, (1 < i < n) from {1, 2, • • • , n} uniformly at random. An algorithm that gener- 
ates Fi (1 <i<n) from i and L may be public to all players. Next, TI gives L 
to R as his decryption key. TI also gives {?v,fW} (1 < i < n) to Si (1 < i < n), 
respectively, as encryption keys, where := After distributing the 

keys, TI deletes his memory. 

2. Encryption: Sender Si encrypts mbyc= {ri, d}, where d = m + iW. 

3. Decryption: Receiver R generates F ri from L and r, . Then, R computes m 
asm = d- J2eeF r . L 

Theorem 5. The above scheme is a (k,n)- one-time USAE. 

Proof. It is obvious that the above scheme satisfies all of conditions in Def. QJ □ 
The required memory sizes for the above construction is formally addressed 
as follows: 

Theorem 6. The required memory sizes in the above construction are given as 
follows: 

H(C) = log 2 nq, H(£i ) = log 2 nq for any i (1 < i < n), H{D) = t log 2 q. 

It should be noted that the cover free family based construction matches the 
lower bounds on the required memory sizes for a ciphertext and an encryption 
key. 
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Comparison. Here, comparison between polynomial and cover free family based 
constructions is explored. Given the fact described above, our polynomial con- 
struction is optimal in terms of required memory sizes. Therefore, polynomial 
based construction is theoretically superior to the cover free family based con- 
struction storage wise. However, polynomial based construction can only be im- 
plemented when \M\ > n although, in most practical situations, this restriction 
may be ignored. On the other hand, for the cover free family based construction, 
it allows even for \M\ < n when there exist an appropriate cover free family. 
We now show an example of system parameter settings in the case when this 
restriction do, applies. For the following situation, the cover free family based 
construction will be more suitable than polynomial based construction in terms 
of required memory sizes. 

Example. Assume that the message space is {yes, no} and we need a (127, 128)- 
one-time USAE. For the polynomial based construction, a finite field GF(q ) 
with q > 128 is required. Consequently, the size of a ciphertext will be at least 
14 bits. A receiver and a sender must then store at least 896 bits and 14 bits, 
respectively. For the cover free family based construction, (128, 128, 127)-CFF 
(trivial CFF) over GF( 2), the size of a ciphertext will be 8 bits at the least, and 
a receiver and a sender store at least 128 bits and 8 bits, respectively. For the 
described situation, we can see a significant advantage of the cover free family 
based construction over the polynomial based construction. 

In summary, different constructions are advantageous for different perspec- 
tives, so, one construction may do better than another under certain circum- 
stances. However, the polynomial based construction is generally most suitable 
for typical security parameter settings in USAE. And for the case when \M\ < n, 
the cover free family based construction betters. 

Memory sizes requirement can be reduced further for the above example if 
we utilize nontrivial CFF instead. However, in a nontrivial CFF, the number of 
malicious senders cannot be set to a considerably larger number than the total 
number of the senders. This fact is due to the following proposition: 

Proposition 1 1 (161 1. In a nontrivial ( n,t,k)-CFF with n> t, k ^ k ~^ < n. 


2.5 Extensions 

Non-malleable Scheme. Here, we consider non-malleability (l-l) of the pro- 
posed USAE. Frankly, non-malleability means an adversary’s inability: given a 
challenge ciphertext c, to generate a different ciphertext c such that the plain- 
texts m, rh underlying these two ciphertexts are meaningfully related. For com- 
putational encryption schemes, formal definitions of non-malleability are given 
in EE- Here, we give a definition of non-malleability for USAE. 

Definition 4. Let c ( ^ c) be another ciphertext which could have been gener- 
ated by s instead of c in USAE, and m(^ m ) be a plaintext underlying c. Let C 
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and M. denote random variables induced by c and m, respectively. A USAE is 
perfectly non-malleable if the following equation holds: 

H(M\C,C,M,£i 1 , ■ ■ ■ ,£i k ) = H(M\C,M), (1) 

for any set of k malicious senders {Sq . • ••,*%*.} C {Si, ■ ■ ■ , 5 n } such that s 

The above definition is reasonable since Eq. [I] implies that even if an adversary 
knows a pair of {c, m}, there is no other ciphertext which can give further in- 
formation except the information that its underlying plaintext is not identical 
to m. In other words, no adversary can generate a ciphertext whose plaintext is 
meaningfully related to m when Eq. 0 holds. 

A USAE which satisfies perfect non-malleability is constructed as follows: 

Non-malleable (fc, n)-One-Time USAE Based on Polynomials 

1. Setting Up: Let \M\ = q, where <? is a prime power and q > n. Tl chooses 
a uniformly random polynomials fi(x) = X^=o a b' a: ' 7 (* = 1)2) over GF(q). TI 
also chooses distinct numbers (1 < i < n) from a set B C GF(q) uniformly at 
random, where |f?| = n, such that f 2 (bi) i=- 0 for any i (1 < i < n). B may be 
public to all players. Next, TI gives fi(x) and f 2 (x) to R as his decryption key, 
and also gives {bi, fi(h), / 2 (&i)}, {&2, /i(&2), fi fa)}, ■ ■ ■ , {&n, fi(b„), f2(b n )} to 
Si, S2, • • • ,S n as encryption keys, respectively. TI deletes his memory after dis- 
tributing the keys. 

2. Encryption: Sender Si encrypts m by c = {6,, c / }, where d := fi{bf) + 
mf 2 (bi). 

3. Decryption: Receiver R decrypts c by fi (x) and f 2 (x) as follows: m = 
(d - fi(x)\ x = bi )/f 2 (x)\ x = bi . 

Theorem 7. The above scheme is a perfectly non-malleable (k,n)- one-time 
USAE. 

Proof. Similarly to the proof of Theorem 0J it can be proved that the above 
scheme is a (k, n) -one-time USAE. Now, we show that the above scheme satisfies 
the equality of Eq. Q] It is obvious that 

H{M\C,M) = - ^2 Pr(Ad = m) Pr(AI = rh\M = m) 

meM rheM\{m} 

■ log 2 Pr(Af = m) Pr(Af = m\M = m). (2) 

Next, we show that - ■ ■ ,£ ik ) is equivalent to that in Eq. 0 

Since both deg fi (x) and deg f 2 {x) are k, no information on f\(x) and f 2 {x) 
cannot be obtained even if ei, ■ ■ ■ , e*, are used. Then, a set of all possible values 
for (fi(x),f 2 (x)) becomes r := {(71, 72)1^ = 71 +m72, 72 ^ 0}. Consequently, 
for given c(= {6,;, c'}), a set of all possible plaintext m underlying c is M' := 
(to' | to' = (d — 7i)/72, V(7i,72) G r}. From Lemma 0 and 0 we have M' = 
M\{m} and a mapping t : T — ¥ M', such that t(7i,72) = (& — 7i)/ 72, is 
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bijective. Hence, we have 

■■ ,£ ik ) 

= — ^2 X P r (-^ = Pr(A 4 = t( 7 i, 72 )|A 1 = to) 
meM ( 71l72 )er 

•log 2 Pr(A 4 = to) Pr(Al = t(7i, 72)|.M = m) 

= - J2 X Pr (^< = m ) Pr (^ = mm = m ) 

meM meM\{m} 

■ log 2 Pr(A 4 = to) Pr(A 4 = rh\M = to). ( 3 ) 

From Eq. 0 and El Eq. Q holds. □ 

Lemma 2 . For a given ciphertext c(= {bi, d}) G C and its corresponding plain- 
text m G M, let r := {(7i,72)|c = 71 + TO72, 72 7^ 0 }. F/ien, for any c(= 
{6 i; c'}) G ( 7 , such that & ± d, (c' - 7O/72 ^ m if (71, 72) G -T. 

Proof. Suppose that there exist (71,72) G F, such that {& — 71 ) /j2 = rn. Then, 
c! = 71 + TO72 = d. Since c' ^ c', this is a contradiction. □ 

Lemma 3 . For a given ciphertext c(= { bi , o'}) G C and its corresponding plain- 
text to G M, let r := {(7i,72)|c = 71 + TO72, 72 7^ 0 }. T/ien, for any c(= 
{6i,c'}) G C, suc/i that & ± d, (& - 7u)/7i2 7^ - 721V722 if (711.712) 7^ 

(721,722) and (711,712), (721,722) G F. 

Proof. Suppose that there exist (711,712), (721,722) G F, such that (o'— 7n)/7i2 = 
(d - 72i)/722- Letting to := (c' - 7 n)/ 7 i 2 (= (o' - 72O/722), we have o' = 
711 + TO712 = 721 + TO722- Hence, 

(711 - 721) = -m(7i2 - 722)- ( 4 ) 

Also, since c' = 711 + TO712 = 721 + TO722, it is clear that 

(711 - 721) = ~m { 712 - 722). ( 5 ) 

From Eq. El and 0 it is obvious that (711 — 721) = (712 — 722) = 0 or m' = m. 
When (711 - 721) = (712 - 722) = 0 , we get (711,712) = (721,722)- This is a 
contradiction. On the other hand, when m' = to, this is also a contradition due 
to Lemma 0 □ 

Multiple-Receiver Scheme. The model of USAE described in section 2.1 is 
built for a single receiver. That is, there exists only one receiver for the entire 
model. From this, we can extend the model to be a multiple receiver model and 
show an efficient implementation of it. More detailed discussion will be provided 
in the full version of this paper. 
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3 Group Authentication Code 

In this section, we show a model, security definition and a concrete construc- 
tion of GA-code, which is an unconditionally secure authentication code with 
anonymity like group signatures. With the combination of USAE and GA-code, 
a secure communication system, which assures confidentiality, authenticity and 
user’s anonymity can be constructed without any computational assumptions. 


3.1 Model 

Similar to what we saw in the model of USAE, we introduce the trusted initial- 
izer model for GA-code as well. In GA-code model, there are n + 3 participants, 
a set of n senders {Si, • • • , S n }, a receiver R, a group authority G and a trusted 
initializer, TI. TI generates secret information u\, ■ ■ ■ , u n for Si, • • • , S n , respec- 
tively, and secret information v for R. TI also generates secret information w 
for G. After distributing these keys, TI deletes his memory. In order to send a 
plaintext m to R with authenticity, s G {Si, • • • , S n } generates an authenticated 
message a from to by using Ui and transmits a to R. R verifies the validity of 
a by using to and v. In a situation where R wants to reveal the identity of the 
sender, R can obtain it by cooperating with G only if G approves R's request. 


3.2 Definition 

Here, we formally define the security of GA-code. In GA-code, a sender is able 
to prove that he is a legitimate member of a group, {Si, • • • , S n } . In addition, 
by cooperating with G, R can obtain the identity of the sender fairly simply. 
However, each of R and G alone, cannot reveal the sender’s identity. 

An adversary can perform impersonation or substitution by constructing a 
fraudulent codeword. The attack is considered successful if the receiver accepts 
the codeword. In impersonation, an adversary is assumed to not have seen any 
communication occurred priorly, while in substitution, the adversary have seen 
at least one transmitted codeword. Both impersonation and substitution can be 
performed by either senders and outsiders, where none of TI, G, R, Si, ■ ■ ■ , S n 
is included in the collusion of the outsiders. Also, senders’ attack is considered 
to be successful if a fraudulent codeword is accepted by the receiver and no 
fraudulent message is traced back to the malicious sender who wrote the message 
by the receiver and a group authority. Outsiders’ attack is considered successful if 
the receiver accepts the fraudulent codeword. Note that, mixed collusion attack 
delivered together by senders and outsiders is referred to an attack made only 
by senders. 

Let S, Hi [i = I . ■ ■ ■ , «), V, W, M and A denote the random variables induced 
by s, Ui (i = 1, • • • , n), v, w, m and a, respectively. For X , let X := {x\ Pr(A = 
x) >0}. | A| denotes the cardinality of X. 

We assume that at most k (0 < k < n — 1) authorized senders are malicious. 
Then, the security of GA-code is formally defined as follows: 
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Definition 5. We say that (Ui, ■ ■ ■ ,U n , V, W, M, A) is a ( p , k, n)-one-time group 
authentication code (GA-code) if 

1. Any set of k malicious senders can perform impersonation with probability 

at most p. Namely, for any set of k malicious senders {S^, • ■ ■ , Si k } C S, 

max maxPr(i? accepts a A none of , ■ • • , Si k } 

is detected as the sender of , • • • ,Ui k ) <p. 

2. Any outsiders can perform impersonation with probability at most p, i.e. 

max a Pr(i? accepts a) < p. 

3. Any set of k malicious senders can perform substitution with probability 

at most p. Namely, letting S = Si 0 , for any set of k malicious senders 
%,•••, % such that S io £{$,,•••, SjJ, 

max max max , Pr(i? accepts a A none of {S Zl , • ■■ ,Si k } 

is detected as the sender of a\ , • • • , Ui k , a ') < p, 

where a' is taken over the set of valid authenticated messages which can be 
generated by Si 0 . 

4. Any set of outsiders can perform substitution with probability at most p , i.e. 

letting a' be an authenticated message which is generated by an honest user, 
max a / max a>a7 t a ' Pr (R accepts a\a') < p. 

5. R obtains no information on the identity of s from a, namely, Pr(<S = 

Si\a, v ) = Pr(S = Si) for any a and i (1 < i < n). 

6. G obtains no information on the identity of s from a, namely, Pr(<S = 

Si\a, w) = Pr(<S = Si) for any a and i (1 < i < n). 

7. Cooperating with G, R can reveal the identity of the sender of the authenti- 
cated message a with probability more than Pr(<S = S io ) , where S io is the 
sender of a. 

3.3 Constructions 

In this subsection, we show a couple of constructions of GA-codes; one is based 
on polynomials and the other is based on cover free families. 

Construction from Polynomials. Based on polynomials, a GA-code can 
be constructed as follows: 

GA-Code Based on Polynomials 

1. Setting Up: Let M = C?i ? ((/)\{0}, where q is a prime power and q > n. 
TI chooses a uniformly random polynomials f(x) and g( x) over GF(q) such 
that deg f(x) < k + 1 and deg g(/x) < k + 1. TI also chooses distinct numbers 
bi (1 < * < n) from B C GF(q) uniformly at random, where \B\ = n such that 
f(bi) ^ f(bj ) for any i,j with 1 < i, j < n, i^ j. Next, TI gives f(x) and g(x) to 
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R as v, and also gives {61, /(6i), g{bi)}, {b 2 , f{b 2 ),g(b 2 )}, ■■■, {b n , f(K), g(K)} 
to Si, S 2 , • • • , S n as U \ , U‘ 2 , ■ ■ ■ , u n , respectively. TI also generates a mapping 
7r : GF(q) -> S such that 7r(/(&,)) = Si and gives it to G as w. TI deletes his 
memory after distributing the keys. 

2. Message Generation: Sender Si generates an authenticated message a for 
to as a = {to, bi, h}, where h := f(bi)m + g(bi). 

3. Verification: Receiver R accepts a as valid if h is identical to f('x)\ x=b .rn + 
g(x)\x=bi- 

4. Tracing: When R wants to reveal the identity of the sender, R first sends 
a request to G. If R’s request is approved by G, R transmits fib,) to G via a 
secure channel. Then, G reveals the sender’s identity by S', = n(t) and transmits 
this result back to R. 

The security of the above scheme is addressed as follows: 

Lemma 4. In the GA-code based on polynomials, colluders, which include at 
most k of {Si, S2, • • • , S„}, can perform impersonation with probability at most 
i. (See conditions 1 and 2 of Def. 5.) 

Proof For succeeding impersonation by collusion of senders {.S',, , ■ ■ ■ , S ik }, adver- 
saries need to produce a fraudulent message {b,m', h'} such that h’ = f(b)m' + 
g(b) and b £ {bi , , ■ ■ ■ , b lk }. Since the malicious senders have only k points of g(x), 
it is therefore, impossible to obtain any information on g(b), and accordingly, 
they also have no information on h! . Therefore, the probability of succeeding the 
attack will be at most 1 /q. In similar manner to this, we can also prove that the 
probability of succeeding outsiders’ impersonation is at most 1/q. □ 

Lemma 5. In the GA-code based on polynomials, colluders, which include at 
most k of {Si, S 2 , ■ ■ ■ , S n }\{Si 0 }, can perform substitution with probability at 
most where Si 0 is the honest sender who sends a valid authenticated message 
a' to R. (See conditions 3 and f of Def 5.) 

Proof. For succeeding substitution by senders {.S',,, ■ ■ ■ ,S, k }, adversaries need 
to produce a fraudulent message {b, m',h'} such that h! = f{b)m! + g(b), b 
{&*!,■■■ ,&i fc } and {b,m’,h'} a{= {b io ,m,h}), where a is an authenticated 

message generated by S io . For the fraudulent message {b, we consider 

the following cases: 1) b = b io and ml ^ to, 2) b ^ b io and m' = to, 3) b ^ bi 0 
and m! ^ to. For case 1) b = bi 0 and m! ^ to, we have h' = f(b)(m' — to) + h. 
Since the adversaries only have fib,,), ■ • • , f(bi k ), and deg f(x) = k+ 1, the only 
information the adversaries have is f(b) 0 {fib-i,), ■ ■ ■ , f(b, k )}. Consequently, 
there are q — k possible values for f(b). Hence, from h! = f(b)(m' — m) + h, 
there also exist q — k different values for h! for any {b lQ , rn, rn! , This implies 
that the probability for succeeding substitution does not exceed 1 /(q—k). For 
case 2) b ^ 6, 0 and m' = to, we have deg (f(x)m' + g{x)) = k + 1 and the 
adversaries have only f(bi 0 )m'+g(bi 0 ) and • • • , f(bi k )m'+g(b ik ). 

Hence, the adversaries have no information on h = f(b)m' + g(b), consequently, 
the probability for succeeding substitution also does not exceed 1/q. For case 
3) b ^ bi 0 and m' 7 ^ to, we have deg g(x) = k + 1 and the adversaries only 
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have f(b io )m + g(bi 0 ) and gib^). ■■■ , g(b, k ). This means, the adversaries have no 
information on g(b). Also, this implies that they do not have any information 
on h' because h! = f{b)m' + g(b), consequently, the probability for succeeding 
substitution also does not exceed 1/q. Similarly, we can also prove that the 
probability of succeeding outsiders’ substitution will be at most 1 /q. □ 

Together, any adversaries can succeed their impersonation or substitution with 
probability at most 1 /(<? — k). 

Lemma 6. R or G can determine who had generated the authenticated message 
a with probablitiy at most Pr(<S = Si 0 ). Additionally, cooperating with G, R can 
reveal the identity of the sender of the authenticated message a with probability 
1, if a is valid. (See conditions 5, 6 and 7 of Def 5.) 

Proof. Regarding the sender’s anonymity, it is clear that R has no information 
on the identity of the sender since R does not know the mapping tt. Hence, R 
can only determine the probability of the generator of the authenticated message 
a to be at most Pr(<S = S l0 ) . On the other hand, though G knows n, G too, 
has no information regarding the identity of the sender since G does not know 
g(bi 0 ). The probability of G determining who the generator of a is, is at most 
Pr(<S = S i0 ) . However, by cooperating with G, R can identify the sender with 
probability 1 if a is valid. □ 

Theorem 8. The above scheme is a -one-time GA-code. 

Proof. From Lemmas 0,0 and 0 it is obvious that the above theorem is true. □ 
In the security definition of GA-code, it is assumed that G does not join 
any colluders who try to perform impersonation or substitution. We should note 
that the probability of succeeding substitution can be increased when G joins a 
collusion attack. Since G knows f(bi) which is assigned to Si, for example, he 
can substitute a valid authenticated message a := {to, b. t , f(bi)m + g[bi)} with 
a forged message a’ := {to + 1, b t , f{bi){m + 1) + <?(&,)} which will be accepted 
by R. If such an attack is to be avoided, we can fix the above scheme with a 
slight modification as follows: TI uniformly at random chooses two mappings 7Ti : 
{1, 2, • • • ,n} -A {1, 2, • • • , n} and 7 t 2 : {1, 2, • • • ,»} -A S such that 7 t 2 (7Ti (bi)) = Si 
instead of n. Then, {f(x),g(x), tti } and 7 r 2 are given to R and G as v and w, 
respectively. 

The required memory sizes for the above construction is formally addressed 
as follows: 

Theorem 9. The required memory sizes in the above scheme are given as fol- 
lows: 

H(A) = log 2 nq(q — 1), HlfAf) = log 2 nq 2 for any i (1 < i < n), 

H(V) = 2 (k + 2) log 2 q, H(W) = £ log 2 (q - i). 


Construction from Cover Free Family. Another construction of GA-code 
is based on CFF. An advantage to use the CFF based GA-code is recalling USAE, 
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it does not always require \M\ + 1 > n while the requirement is an absolute for 
the polynomial based GA-code. 

In order to construct a GA-code from CFF, we also introduce “classical” 
A-codes |18I27| which include only one sender and one receiver. In such A-codes, 
there are 3 participants, a sender S, a receiver R and a trusted initializer TI. TI 
generates secret information u and v for R and S, respectively, such that u = v. 
In order to send a plaintext m to R, S generates his authenticated message a 
from fh by using u and transmits d to R. R verifies the validity of a by using m 
and v. We note that S or R may generate u and v in order to remove TI. 
Definition 6. Let U, (V,)A4 and A denote the random variables induced by 
u,(v,)rh and a, respectively. We say that (U, (V,)Ad, A) is a p- authentication 
code (A-code) if 

1. Any outsiders (which do not include S, R or TI) can perform impersonation 
with probability at most p. Namely, maxg Pr(J? accepts d) < p. 

2. Any set of outsiders can perform substitution with probability at most p. 
Namely, letting a' be an authenticated message which is generated by S, 
max 0 -, max-, Pr (R accepts d|a') < p. 

Construction methods of A-codes are given in, for example, f I 8127) . In the follow- 
ings, for simplicity, let / : M x U — > A denote a mapping such that /(m, u) = a. 
Additionally, notations for CFF is the same as that in Def. 0 
GA-Code Based on Cover Free Families 

1. Setting Up: Let M := M. TI first generates an (n, t, A;)-CFF such that 
each of ii (1 < i < t) is an element of U . TI also chooses distinct munbers 
n (1 < i < n) from (1,2, • • ■ , n} rmiformly at random. An algorithm that gen- 
erates Fi (1 < i < n) from i and L may be public to all players. TI further 
uniformly at random chooses two mappings 7Ti : {1, 2, • • • , n} {1, 2, ■ • • , n} 
and 7 t 2 : {1,2, • • • , n} -»■ S such that 7r 2 (7ri (r^)) = 5, for 1 < i < n. Next, TI 
gives {L,7 Ti} to R as v. TI also gives { Vi,F r .} (1 < i < n) to Si (1 < i < n), 
respectively, as it*. In addition, 7r 2 is given to G as w. After distributing the keys, 
TI deletes his memory. 

2. Message Generation: Sender Si generates an authenticated message a for 

m as a := {n, o'™, • • • , where := (1 < j < 

\F ri |) , assuming that F rf = , i ^ , • • • , , }. 

3. Verification: Receiver R first generates F ri from L and r, . Then, R accepts 

a as valid if a is identical to for all j (1 < j < IT).. |). 

4. Tracing: When R wants to reveal the identity of the sender, R first sends a 
request to G. If R’s request is approved by G, R calculates t = 7ri(r 7 ;) and trans- 
mits it to G. Then, G reveals the sender’s identity by Si = 7r 2 (£) and transmits 
this result back to R via a secure channel. 

Theorem 10. The above scheme is a (p,k,n) -one-time GA-code. 

The proof of the theorem is straightforward. 

The required memory sizes for the above construction is formally addressed 
as follows: 
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Theorem 11. The required memory sizes in the above scheme are given as fol- 
lows: 

H(A) = log 2 n + \F\H(A ), HflAf) = log 2 n + \F\H{U) for any i (1 < * < n), 
H(V) = ill{U) + J2 log 2 (< + 1), H(W) = log 2 (i + 1), 

i=0 i = 0 

assuming that all \F n \ (1 <i<n) are of the same size |F|. 

As mentioned so far, we see that the above scheme does not always require 
\M\ + 1 > n while the polynomial based GA-code can be utilized only when 
\M\ + 1 > n. In addition, it should be noticed that the size of a can be reduced 
if each of ot'^, a' 2 ri \ • • • , a ' ^ | contains the same m. 


3.4 Remarks 

In the previous subsection, we showed GA-codes in a single-receiver model. A 
multiple-receiver extension that was made similarly to MUSAE for GA-code 
was omitted here, but will appear later in the full version. Tight bounds for the 
required memory sizes in GA-code is important in analyzing optimality, and is 
also an interesting open problem to be thought out. 

By the combination of USAE and GA-code, a secure communication sys- 
tem with confidentiality, authenticity and sender’s anonymity was constructed. 
It should be noticed that the security of this system was proven without any 
computational assumptions and assures long-term security. 
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Abstract. The generic group model has recently been used to prove the 
security of certain asymmetric encryption and signature schemes. This 
paper presents results that show that there exist problems in that are 
provably hard in the generic group model but easy to solve whenever the 
random encoding function is replaced with a specific encoding function 
(or one drawn from a specific set of encoding functions). In particular 
we show that there exist cryptographic schemes that are provably hard 
in the generic group model but easy to break in practice. 


1 Introduction 

The complex nature of asymmetric encryption schemes makes it difficult to give 
concrete assurances of their security. In order to prove results about their security 
several models have been proposed. Each model makes some assumptions about 
the properties of certain parts of the scheme. 

The most popular of these is the random oracle model, which was introduced 
by Bellare and Rogaway in 1993 0. It was designed to show the difficulty of 
breaking cryptographic algorithms by modelling certain parts of the cipher (usu- 
ally the hash functions) as random functions. Doubt was cast on the validity of 
this model by Canetti, Goldreich and Halevi 0 who proved that there exists a 
theoretical signature scheme that is secure in the random oracle model but inse- 
cure when the random function is replaced by any polynomial time computable 
function or set of functions. 

The generic group model was proposed by Shoup (§J to give exact bounds on 
the difficulty of the discrete logarithm problem and the Diffie-Hellman problem 
in the situation where the attacker has no information about the specific repre- 
sentation of the group being used. In other words the attacker is trying to solve 
a discrete logarithm (or Diffie-Hellman) problem in a group isomorphic to C p 
but does not know whether this group is realised as, say, a multiplicative group 
or as an elliptic curve group. We cast some doubt on the model by proposing 
a problem that is provably difficult in the generic group model but for which 
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there exists an attacker that can easily solve the problem for any representa- 
tion of the group without using any properties of the special properties of that 
representation. 

More recently the generic group model has been used by Brown [2|, Schnorr 
and Jakobsson |7|, and Smart [S| in the analysis of certain cryptographic proto- 
cols based on the Diffie-Hellman problem. Our result shows that, in the analysis 
of asymmetric primitives, the generic group model has the same weaknesses as 
the random oracle model. In particular we show how a secure signature scheme 
may be modified to give a scheme that is still secure in the generic group model 
but insecure whenever any specific representation of the group is chosen. 

This work is similar in its intent to the work of Fischlin |2J but our result 
is an improvement. Fischlin shows that the security of the Schnorr signature 
scheme (£| in the generic group model might depend upon the choice of hash 
function used within the scheme. The paper shows that the scheme is weak in 
the generic group model with one particular hash function and postulates that 
the scheme is secure in the generic group model with a different hash function. 
We improve upon this result and show that if there exists any signature scheme 
that is secure in the generic group model then there exists a tweaked version of 
that scheme that is still provably secure in the generic group model but insecure 
in practice. 

2 The Generic Group Model 

Let p be a fc-bit prime and let 7Z V be the group of additive integers modulo p. Let 
l out : IN — > IN be a length function with / out (/c) > k and S = (0, l}*° u *( fc ). Note 
that it is possible to represent elements of 7Z P as members of S. An encoding 
function is a function a : 7Z V — > S for which a(x) = cr(y) if and only if x = y. 

The most common examples of encoding functions include representing an 
element x £ ZZ V as: 

— the bit representation of a; in 2Z P , 

— the bit representation of g x in where g has order p in 2Z m , 

— the bit representations of the co-ordinates of the elliptic curve point xP, 

where P is a point of order p on an elliptic curve E. 

It is important to note that finding x given a(x) and cr(l) is the same as solving 
the discrete logarithm problem on the group. 

A generic algorithm is a probabilistic, polynomial-time Turing machine M 
that takes representations of group elements a(x i), . . . , a(x m ) as inputs. As M 
is executed it may compute group operations on group elements by way of an 
addition oracle O : S x S x ZZ 2 — > S such that 

0(a(xi),a(xj),b) = a(xi + (-l) b Xj) . (1) 

We assume that any call to this oracle involves one evaluation of a. 

We will denote a generic algorithm M with access to an encoding function 
a and a suitable addition/subtraction oracle by M a (we implicitly assume the 
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presence of an addition oracle whenever we have an oracle for the encoding 
function). We define the result of running such an algorithm as x <— M a . This 
differs from the original definition of |S] as our generic algorithm can calculate 
a{x) for any x £ 2Z V without calculating any intermediate values. In particular 
M can calculate c(l). 

This does not substantially change any of the results given in [H] because 
even when it is not possible to calculate a(x) directly, it is always possible to 
calculate o(x ) using a polynomial number of queries to the addition oracle O. 
The following is a result of Shoup jHj ■ 

Result 1. Let x £ 7Z V and let a be a randomly chosen encoding function of 
2Z V into S. If M a is a generic algorithm for on S that makes at most m 
evaluations of a then the probability that x <— M a (a(x)) is 0(m 2 /p). Note that 
in particular if M a makes a number of evaluations of a that is polynomial in k 
then the probability that x <— M a (a(x)) is negligible. 

3 Evasive Relations on Groups 

The definition of an evasive relationship was introduced in 0 and we will con- 
tinue to develop definitions and use proof techniques that that paper suggests. 
The notion of evasive relations capture one difference between random functions 
(a function chosen at random from all possible functions) and functions actually 
used in practice (that must be calculatable). 

Definition 1 (Evasive Relation). A relation R C {0,1}* X {0, l} io ^t(fc) i s 
said to be evasive if for any probabilistic polynomial-time Turing machine M 
with access to an oracle V we have 

Pr[x <- M v (l k ), (x,V(x)) £ R] 

is negligible in k, where the probability is taken uniformly over all choices of 
oracle V : {0, 1}* -> {0, an d th e coins of M. 

We extend this definition so that it is applicable to the group setting. 
Definition 2 (Evasive Group Relation) . A relation RCGxS is said to be 
an evasive group relation if for any probabilistic polynomial-time Taring machine 
M we have 

Pr[x <r- M a (l k ), ( x,a(x )) £ R] 

is negligible in k, where the probability is taken uniformly over all choices for an 
encoding function a : G -A S and the coins of M. 

However, in the real world we will not be working with a random encoding 
function but with a known computable function that is, at worst, chosen from 
some collection. For example we could be working in a subgroup of the mul- 
tiplicative group of integers modulo a value or a subgroup of an elliptic curve 
group with the points represented as either compressed, uncompressed or hybrid 
bit-strings. We designate the collection of these possible encoding functions an 
“encoding ensemble”. 
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Definition 3 (Encoding ensemble). We define an encoding ensemble T to 
be a collection of encoding functions f s : 7Z P — > S where s £ (0,l} fc . (We 
do not require that T contain exactly 2 k functions, just that this is an upper 
bound). We require that there exists a polynomial-time algorithm Eval such 
that Eval(s, x) = f s (x) and a polynomial-time algorithm Add such that 

At>d(s, f s (xi), f s (xj),b) = f s (xi+ (—l) b Xj) . (2) 

Once again we reiterate the fact that complete knowledge of an encoding 
function f s and the encoding a group element f s (x) does not imply that it is 
feasible to calculate x. This is the discrete logarithm problem and in general this 
is hard. However, in general, it is not necessary to be able to invert an encoding 
function in order to construct the Add function - all of the examples of encoding 
functions given in Section 2 have efficient Add functions, even when the discrete 
logarithm problem is thought to be hard for that representation. 

We try to emulate the idea of evasive group relation when the randomly 
chosen encoding function is replaced with a function chosen at random from an 
encoding ensemble. 

Definition 4 (Correlation intractability). Let T be an encoding ensemble 
of 7Z V into S. T is correlation intractable if for every probabilistic, polynomial- 
time Turing machine M and every evasive group relation R we have that 

Pr[s <- {0, l} k , x <- M(s), (x, f s (x)) £ R] 

is negligible in k, where the probability is taken over the uniformly random choice 
of s and the coins of M. 

A clear example of the difference between random encoding functions (an 
encoding function drawn at random from all possible encoding functions) and 
encoding ensembles (where the encoding function is drawn from a specific set) 
is that there exists no encoding ensemble which is correlation intractable. 
Lemma 1. There exist no correlation intractable encoding ensembles. 

Proof. Let T be an encoding ensemble of 2Z V into S and define the relation R 

R={(s,f s (s)):s£{ 0,l} fe } (3) 

where s = s (mod p) . This is an evasive relation because for every x £ 2Z V there 
exists at most two y such that (a;, y) £ R and so, for any x £ 2Z p , we have that 

Pr[(x, a(x)) £ R]< 2l J {k) -i ^ 2 k-i ( 4 ) 

for a randomly chosen encoding function a. 

However if M(s) is the machine that returns s then 

Pr[s £- (0, l} fc , s M(s), (s, f s (s)) £R] = 1 (5) 

for any random choice of s £ {0, l} fc . So T is not a correlation intractable 
encoding ensemble. □ 
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4 A Hard Problem with an Easy Solution 

In this section we will examine a slightly modified version of the discrete loga- 
rithm problem. We still attempt to solve the discrete logarithm problem in the 
group 7Z V as it is represented by the encoding function, however we now allow 
the attacking machine to have access to certain oracles. We attempt to show that 
whilst this problem is secure in the generic group model, it is insecure whenever 
any specific encoding function or encoding ensemble is used. 


4.1 A Modified Problem 


For any evasive group relation R we define an oracle D R such that 


Wjtiiy, <r{x)) = 


x if (y,u(y))ei?, 
_L otherwise. 


(6) 


We still have that 

Theorem 2. If M a ’ D R is a generic algorithm that makes at most a number of 
queries to any oracle that is polynomial in n then 

Pr[x^M°’ D *(a(x))] 


is negligible, where the probability is taken over the uniform choice of encoding 
function a and the coins of M. 

Proof. Obviously the oracle D R does not affect M unless it is queried with a value 
y such that ( y,a(y )) G R). Since R is a group evasive relation this probability 
is negligible, hence we may ignore the oracle D a R . However in this case we may 
appeal to Result d which proves that the probability of M a returning x without 
the oracle D U R is also negligible. 

Formally we define E to be the event that the oracle D R is queried with 
(y, z) such that (y, <j(y)) G R and E be the complement of this event. So, 

Pr[x <— M”’ D K(a(x))} m Pr[x G- M°’ D n(a(x))\E]Pr[E] 

+Pr[x <- M a ’ D R(a(x))\E]Pr[E] (7) 
< Pr[E] + Pr[x <r- M a ’ D n(a(x))\E\ 

and both of these terms are negligible, the latter by Result d □ 


This proves that the oracle Df has no effect on the problem in the generic 
group model. Now consider the effects of this oracle when the random encoding 
function o is replaced by an encoding ensemble. (Or rather the function o chosen 
at random from all encoding functions is replaced with a function f s chosen at 
random from the encoding ensemble IF.) If we use the group evasive relation R 
defined in (0 then the previously useless oracle D R now becomes 


D s R (y,f s 


(»)) = { 


x if (yJ s (y))eR, 
jL otherwise. 


( 8 ) 


Of course now there exists a machine M D n(f s (x),s) that will output x with 
probability 1 just by querying the oracle D' R with the query (,s , f s (x)), where 
s G 7Z V and s = s mod p. 
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4.2 A Universal Encoding Ensemble 

So far we have shown that for every encoding ensemble there exists an oracle 
discrete logarithm problem that is provably difficult in the generic group model 
but easy when the random encoding function is replaced by a specific given 
encoding ensemble. We will now attempt to generalize this to an oracle discrete 
logarithm problem that is hard in the generic group model but easy when the 
random encoding function is replaced by any encoding ensemble. In order to do 
this we will need to enumerate all possible encoding ensembles. 

Recall that for any function ensemble T there exists a polynomial-time func- 
tion Eval(.s\ x) that evaluates f s (x). We cannot enumerate all polynomial-time 
functions as there is no single polynomial-time bound that they all obey, so in- 
stead we enumerate all functions that run in time t(k) = k log k . We do this by 
enumerating all algorithms and modifying each algorithm to force it to termi- 
nate after t(k) steps. Note that this enumeration will include all polynomial-time 
algorithms. 

We denote the i-th encoding ensemble in this enumeration by T 1 and the 
s-th member of that encoding ensemble by /*. We let U denote the universal 
encoding ensemble given by 

U({i,s),x) = f l s (x) (9) 

We remark that there exists a machine that computes U and runs in time t(k). 
Now consider the relation R induced by U given by 

R= {(x,y) : y = U(x,x)} C {0,1}* x S (10) 


where x is the element of 7Z V such that x = x mod p (i.e. (x, y) £ Rif and only 
if x = (i,s) and y = /](x)). This relation is clearly evasive as for any x there 
exists at most one value of y such that (x, y) £ R. Again we consider the oracle 
D R such that 


D R(y^( x )) = 


x if (y,a(y)) £ R, 
1 otherwise. 


( 11 ) 


Now we may deduce the following two results in exactly the same way as 
before but using the evasive relation R (which is slightly different to the evasive 
group relation we used before). 


Lemma 2. If M a,D R is a generic algorithm that make a polynomial number of 
queries to any oracle then 


Pr[x M < 7 ,d * 1 ((t(x))\ 


is negligible, where the probability is taken over the uniform choice of encoding 
function a and the coins of M . 

Now we replace the random encoding function a with the label describing the 
encoding function, (i,s). It is important to replace o with (i, s) exactly. Since 
o is an oracle that is available to both the attacker and the oracle D R we must 
make sure that both the attacker and the oracle have access to a legitimate copy 
of (i, s). It is easiest to think of (i, s) as a system parameter. 
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Lemma 3. There exists a Taring machine M that runs in time polynomial in 
k such that . 

Pr[x £- M d r’ s) ( i , s))] = 1 . 

Proof. M queries with the input ((*• s), fj(x)) and then outputs the out- 

put of the oracle. This can be done in polynomial time since we know /] is a 
polynomial time encoding function. □ 

5 Signature Schemes 

The results in this paper have been phrased in terms of an oracle problem that 
is provably hard in the generic group model. Some readers might dislike the 
use of a very powerful oracle that only outputs useful information in a very 
small number of cases. We have chosen to exhibit the results in the more general 
sense of a problem but it should also be noted that the above results could have 
been phrased in terms of a signature or encryption scheme. Here the oracle is 
replaced by access to a signing oracle or a decryption oracle, which seems much 
more natural. 


5.1 A Signature Scheme That Runs in Super-polynomial Time 


Suppose (5, V) is a signature scheme secure against adaptive chosen message 
attacks in the generic group model. We can modify the scheme so that it is still 
secure in the generic group model but insecure when any encoding ensemble is 
used instead of a random encoding function. Let <Si be the signing function given 

by 


(,< 7 / , \ _ J sfc||»S 0 '(m, sk) if (m, cr(m)) £ R, 

i^ m,S ^^(to, sfc) if (to, cr(m)) ^ i?. 


( 12 ) 


where to is the message to be signed, sk is the secret key and R is the relation 
given in equation El The corresponding verifying algorithm, Vi is given by 


{ V ct (to, s’ ,pk) if (to, ct(to)) £ R and s = irHs' 

(where x is the same length as sk), (13) 
V a (m,s,pk) if (to, ct(to)) ^ R. 


where to is the message, s is the signature and pk is the public key. The signature 
scheme (<Si,Vi) is still secure against adaptive chosen message attacks in the 
generic group model. 

However we have already shown that once we replace the random encoding 
function a with an encoding function f s drawn at random from an encoding 
ensemble T l then we can find a message to = (i, s) for which (to, /®(to)) £ R. 
Hence we completely recover the secret key if we query the signing oracle with to. 
So the scheme is insecure for any concrete instantiation of the encoding function, 
i.e. the scheme is insecure in practice. 

Unfortunately we are not quite finished: at the moment both the signing and 
verifying algorithms run in time t(k) = O(k los k ). This is because both algorithms 
need to check a relation in R and then only way to check if ({i r , s'),y ) £ R is to 
check if /],((*', s')) = y, which may take super-polynomial time. 
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5.2 Running the Scheme in Polynomial Time 

We will use the CS-proof techniques of Micali jSj to run this scheme in polynomial 
time. Unlike Q we cannot use guaranteed CS-proofs as we are unable to easily 
construct independent random functional, so we will instead use the notion of 
a cryptographic CS-proof. For this we require that all parties have access to a 
common random string r. Micali [5| shows that there exists polynomial-time 
algorithms Pro and Ver such that 

— if ( x , cr(a;)) G R then Pro that computes a proof it to this fact, 

— if ( x , cr(x)) G R and n is a proof to this fact then Ver verifies this proof, 

— if (x, o-(x')') £ R then a polynomial-time adversary produces a proof 7r' that 
Ver accepts for only an exponentially small number of random strings r. 

From the details of |&] we see that it is reasonable to assume that the last fact 
goes even further: for any random string r it is computationally infeasible for a 
polynomial-time adversary to find a group element x and a proof tt 1 * * * * * 7 such that 
(x, er(x)) ^ R but Ver accepts the proof. 

So we may now define a new signature scheme (5-2, V 2 ) that is still secure 
against adaptive chosen ciphertext attacks in the generic group model. Note 
that any message m may be written as x||7r where a; is a group element, hence 
we may define the signing function on a message m to be: 


{ sk\\S a (m, sk) if Ver verifies the proof n that 

(x, cr(x)) G R, (14) 

S a {m, sk) otherwise. 

where sk is the secret key. The corresponding verifying function for a message 
m and a proposed signature s is given by: 


VZ(m,s,pk) = 


V rT (m, s’ ,pk ) if Ver verifies the proof n that 

(x,a(x)) G R and s = x||s' (where 
x is the same length as sk), 
V a {m,s,pk) otherwise. 


(15) 


This scheme is secure in the generic group model because it is computation- 
ally infeasible to guess x such that (x,a(x)) G R and it is also computationally 
infeasible to produce a proof n that will fool the signing oracle into believing 
that ( x , cr(x)) G R. Furthermore, since Ver rims in polynomial-time, both the 
signing and verifying functions run in polynomial-time. 

1 Of course, we could allow all parties to have access to a random oracle and then use 

the construction given in 0. This would then allow us to prove that, in the random 

oracle model, there exists a scheme that is secure in the generic group model but 

insecure in any practical situation. Alternatively we could construct a scheme that 

is secure in the combined random oracle/generic group model but insecure in the 
standard model (i.e. when all random functions are replaced with functions drawn 

from the relevant ensembles). Whilst this technique is used successfully in Schnorr 
and Jakobsson 0 we feel that, in this particular situation, this is too much like 

passing the buck! 
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However when the random encoding function is replaced by the encoding 
function /* then an attacker could submit the message 

to = (i, s) || Pro(x, r) (16) 

to the signing oracle and the signing oracle will return the secret key. So the 
scheme is insecure for any practical instantiation of the encoding function. 


6 Conclusion 

We have shown that the generic group model suffers from the same weaknesses 
as the random oracle model, namely, that a problem can be shown to be hard in 
the generic group model but is easy when the random function is changed to any 
specific function or set of functions. This shows that the generic group model is 
not a perfect way to represent an algorithm that attacks a problem defined on 
a group but doesn’t take advantage of any of the specific group structure. 

We have also adapted this to show that there are cryptographic schemes 
that are secure in the generic group model that are insecure whenever a specific 
encoding function is used. Heuristically this means that security proofs that rely 
on the generic group model should be viewed with the same caution as security 
proofs that rely on the random oracle model. 
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Abstract. We know that trapdoor permutations can be used to con- 
struct all kinds of basic cryptographic primitives, including trapdoor 
functions, public-key encryption, private information retrieval, oblivious 
transfer, key agreement, and those known to be equivalent to one-way 
functions such as digital signature, private-key encryption, bit commit- 
ment, pseudo-random generator and pseudo-random functions. On the 
other hand, trapdoor functions are not as powerful as trapdoor permuta- 
tions, so the structural property of permutations seem to be something 
special that deserves a more careful study. In this paper, we investi- 
gate the relationships between one-way permutations and all these basic 
cryptographic primitives. Following previous work, we focus on an im- 
portant type of reductions called black-box reductions. We prove that 
no such reductions exist from one-way permutations to either trapdoor 
functions or private information retrieval. Together with previous re- 
sults, all the relationships with one-way permutations have now been 
established, and we know that no such reductions exist from one-way 
permutations to any of these primitives except trapdoor permutations. 
This may have the following meaning, with respect to black-box reduc- 
tions. We know that one-way permutations imply none of the primitives 
in “public cryptography”, where additional properties are required on 
top of “one-wayness” [12], so permutations cannot be traded for any of 
these additional properties. On the other hand, we now know that none of 
these additional properties can be traded for permutations either. Thus, 
permutation seems to be something orthogonal to those additional prop- 
erties on top of one-wayness. Like previous non-reducibility results [12, 
23, 17, 7, 9, 8, 6], our proofs follow the oracle separation paradigm of 
Impagliazzo and Rudich [12]. 


1 Introduction 

Modern cryptography has provided us with all kinds of protocols for various 
interesting and important tasks involving security issues. However, almost all of 
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these protocols have their securities based on some intractability assumptions 
which all imply V ^ MV. So unconditional proofs of security for these protocols 
may seem far beyond our reach. One important line of research then is to un- 
derstand the relationships among these assumptions. However, there are many 
interesting cryptographic tasks, and even a single task may be several variants. 
So potentially the whole picture could become very messy and have little help 
in clarifying our understanding. Instead, we want to focus on the most basic 
cryptographic tasks in their most primitive forms, which can serve as building 
blocks for more advanced protocols. We will also restrict ourselves to the classi- 
cal world of cryptography, and leave the questions in quantum cryptography for 
future studies. 

According to (2j , such basic cryptographic primitives can be roughly divided 
into two categories: private cryptography and public cryptography^] Private 
cryptography is represented by private-key encryption, and includes one-way per- 
mutation (OWP), one-way function (OWF), pseudo-random generator (PRG), 
pseudo-random functions (PRF), bit commitment (BC), and digital signature 
(DS). Public cryptography is represented by public-key encryption (PKE), and 
includes trapdoor permutations (TDP), trapdoor functions (TDF), oblivious 
transfer (OT), private information retrieval (PIR), and key agreement (KA). 
“One-wayness” turns out to be essential as these primitives all are known to 
imply one-way functions [1 1 »1 9111217] . For private cryptography, one-wayness 
basically is also sufficient as one-way functions can be used to construct all the 
primitives therein, except one-way permutations. For public cryptography, ad- 
ditional properties are required on top of one-wayness, and the relationships 
among primitives appear to be rather complicated. We know that trapdoor per- 
mutations imply all of them, but some implications among others are known to 
fail, in the sense to be discussed next. 

It is not clear what it means that one primitive Q does not imply the other 
primitive P, or equivalently P can not be reduced to Q, especially when both 
primitives exist under some plausible assumptions. After all, if the primitive P 
exists, there is a protocol of P based on Q that simply ignores Q. Impagliazzo 
and Rudich introduced a restricted but important subclass of reductions 
called black-box reductions. Informally speaking, a black-box reduction from P 
to Q is a construction of P out of Q that ignores the internal structure of the 
implementation of Q. Furthermore, the security of P’s implementation can also 
be guaranteed in a black-box way that one can use any adversary breaking P as 
a subroutine to break Q. In fact in cryptography, almost all constructions of one 
primitive from another known so far are done in this way, so it makes sense to 
focus on reductions of this kind. Hereafter, all the reductions or implications we 
refer to in this paper will be black-box ones. To prove that no black-box reduction 
exists from P to Q , it suffices to construct an oracle relative to which Q exists 


1 We want to remark that this classification is just a convenient one for us and is by 
no means a precise or complete one. The situation becomes complicated when one 
wants to talk about variations of primitives meeting additional requirements (e.g. 
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whereas P does not. Using this approach, Impagliazzo and Rudich na showed 
that no such black-box reduction exists from KA to OWP. As every primitive 
in public cryptography implies KA mna this provides a strong evidence that 
primitives in public cryptography requires strictly more than one-wayness. Since 
then, more and more separations between cryptographic primitives have been 
established following this paradigm 

We know that trapdoor permutations imply all those basic cryptographic 
primitives, but it is not the case for trapdoor functions as they do not imply OT 
Q and thus PIR 0. So there seems to be something special for being a per- 
mutation which deserves further study. We also know that one-way functions do 
not imply one-way permutations |2(l l tij . so permutation does not seem to be a 
property that one can have for free. We know that one-way permutations imply 
none of the primitives in public cryptography H2|, so on top of one-wayness, 
one can not trade permutations for any of the additional properties required in 
public cryptography. Then, the question we want to ask is: can any of those ad- 
ditional properties required in public cryptography be traded for permutations? 
Formally, can any of the primitives except TDP in public cryptography imply 
OWP? Figure Q summarizes the relationships known so far between primitives 
and OWP. We will show that neither TDF nor PIR implies OWP, so the answer 
to that question is actually no! 


TDF -»• PKE OWP 


/ 

\ 

A 


TDP 

KA 

u 

\ 


\ 



PIR -+ OT OWF, PRG, PRF, BC, DS 

Fig. 1. Relationships between OWP and other cryptographic primitives 


We first construct an oracle, relative to which an injective trapdoor func- 
tion (iTDF) exists whereas OWP does not. As iTDF implies PKE [flTifl and 
PKE (two-pass KA) implies KA, we establish the impossibility of having black- 
box reductions from OWP to either TDF, PKE, or KA. Next, we construct 
an oracle, relative to which PIR exists whereas OWP does not. Because PIR 
implies OT 0, we establish that no black-box reduction exists from OWP to 
either PIR or OT. One immediate corollary is that PIR does not imply TDP, 
in contrast to the known result that TDP does imply PIR m- So according 
to our results, none of the primitives in public cryptography implies OWP in a 
black-box way. This is interesting in the sense that all the powerful primitives, 
except TDP, in public cryptography, which make almost all of conceivable cryp- 
tographic tasks possible, are still unable to yield OWP. Our results suggest that 
permutation is really a special property that is orthogonal to other additional 
properties required in cryptography. Furthermore, the reducibility from OWP 

2 In fact, TDF with polynomial pre-image size suffices to imply PKE 
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to each primitive was already known before, so now all the relationships, with 
respect to black-box reductions, between one-way permutations and those basic 
cryptographic primitives have been established. However, we want to stress that 
we are still far from being able to settle the real relationships among primitives, 
and in fact, to have separations beyond black-box reductions would require some 
major breakthrough in complexity theory EH 

For each separation between primitives, we need to find a suitable oracle 
that is powerful enough for making one primitive possible, but still not so for 
the other. We basically follow the approach of Impagliazzo and Rudich m and 
Gertner et al. [Zj. It is known that a random function is one-way with high 
probability, even relative to a VSV AC £~comp\ete function m- Then, OWF ex- 
ists relative to an oracle containing a random function and a VSV ACE -complete 
function, but on the other hand, OWP does not relative to such an oracle [‘2111 Hj . 
We want to separate OWP from TDF and PIR. Each time we look for a special 
function which realizes the additional property required by that primitive but 
does not yield permutations. By adding such a function to the oracle, we can 
build the corresponding primitive, TDF or PIR, but relative to the oracle, OWP 
still does not exist. Our strategy of finding such special functions is based on the 
observation that both TDF and PIR can be seen as two-party primitives while 
OWP involves only one party. So we look for those functions that are useful in 
a two-party setting but useless in a one-party case. 

The rest of the paper is organized as follows. In Section 2, we describe our 
notation and provide definitions for the cryptographic primitive involved in this 
paper. Then in Section 0 and 0 we prove that no black-box reductions exist 
from OWP to iTDF and PIR, respectively. 

2 Notation and Definitions 

Let [n] denote the set {0, 1, . . . , n — 1}. For x G {0, 1}", let x[*] denote the *-th 
bit of x if % G [n], and an arbitrary value, say 0, otherwise. We write poly(n) to 
denote a polynomial in n. We write * for {0,1}* and (*, q. *) for those ( u,q,v ) 
with u, v G {0,1}*. For a distribution S, we write s G S' to denote sampling 
s according to the distribution S. For any n G N, let U n denote the uniform 
distribution over {0, 1}". 

Parties in cryptographic primitives are assumed to run in polynomial time, 
and are modeled by probabilistic polynomial-time Turing machines (PPTM). 
Each cryptographic primitive is associated with a security parameter k, for eval- 
uating how secure that primitive is. A function is called negligible if it vanishes 
faster than any inverse polynomial. We say that two distributions X and Y over 
{0, l} fc cannot be distinguished if for any PPTM M, 

Pv[M(x) = 1] - Pr[M(y) = l]| <*(*;), 

xex y eY | 

for some negligible function S(k). We say a function is easy to compute if it is 
computable in polynomial time. We say that a function / is hard to invert if for 
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any PPTM M, 

Pr = f(x) 1 < 5{k), 

xC.Uk 

for some negligible function S(k). 

In the following, we give brief definitions of the cryptographic primitives 
studied in this paper. More formal treatment can be found in standard textbooks 
or the original papers. The most fundamental primitive is one-way function, 
which is essential to all cryptographic primitives. 

Definition 1. A one-way function (OWF) is a function that is easy to compute 
but hard to invert. 

From one-way functions, we define primitives with additional properties. A 
one-way permutation is a one-way function that is itself a permutation. 

Definition 2. A one-way permutation (OWP) is a one-way function f with 
the additional requirement that for every k £ N, f maps {0, l} fe to {0, l} fe in a 
one-to-one and onto way. 

Trapdoor functions are one-way functions which, when given some additional 
trapdoor information, are easy to invert. 

Definition 3. A collection of trapdoor functions (TDF) is a collection of func- 
tion families T = {Fk\k £ N} satisfying the following properties. 

— There is a PPTM I, that on input l k outputs a pair ( f,t ), where f is (an 
index of) a function in Tu, and t is a string called the trapdoor for f. 

— Each f is easy to compute, and when the trapdoor t is given, f is also easy 
to invert. 

— For a random ( f,t ) £ /( l k ), f is hard to invert without knowing the trap- 
door t. 

Next, we describe private information retrieval, which was introduced by 
Chor et al. |3J. This is a two-party protocol, where User wants to secretly learn 
some bit of Server’s database, conditioned on a non-trivial upper bound on 
Server’s communication complexity. 

Definition 4. Private information retrieval (PIP) is a protocol involving two 
parties. Server has a database x £ {0, 1}" while User has an index i £ [n] and 
wants to learn the bit x[i] in the following way. 

— Server sends less than n bits to User. 

— User keeps the index secret in the sense that Server cannot distinguish the 
distributions of messages sent from User when the indices are i and i' re- 
spectively, for any i' ^ 

3 The security parameter here can be set to k = poly(n). 


On the Impossibilities of Basing One-Way Permutations 115 


3 TDF Does Not Imply OWP 


In this section we construct an oracle F relative to which there are injective 
trapdoor functions but no one-way permutations. It is shown in that no 

OWP exists relative to an oracle with a VSV AC ^-complete problem and some 
random functions. We add a function G into such an oracle to do the inverting job 
when provided with the trapdoor, and we want G to be useless in constructing 
OWP. Our oracle F consists of the following. 

— A VSVACS-complete problem. 

— A length-tripling random function F(-. ■'). 

— A length-tripling random function H(-). 

— A function G defined as follows. 



In F, the functions F and H are random while the function G is completely 
determined by F and H . Call a query to G invalid if its answer is _L, and valid 
otherwise. Note that we can assume w.l.o.g. that both F and H are injective, 
because one can show that length-tripling functions are injective on sufficiently 
long inputs with measure one . 

G is designed in this way for the following purpose. The function F(-,H(t)) 
can be inverted if one has t, because for any x, 


G(F(x,H(t)),t)=x. 


Without knowing t, queries to G are likely to be invalid and thus useless. As we 
will see, this makes the construction of trapdoor functions possible. On the other 
hand, the function G is not helpful in a one-party primitive (OWP in particular), 
for the following reason. To have a valid query G(y,t), y is likely to come from 
a query F(x,H(t)) for some x, but then one knows x = G(y,t) already, which 
makes such a query to G unnecessary. Our approach basically follows those of 

m- 

3.1 TDF in F 

On input l fc , the trapdoor-function generator I outputs the pair ( t,H(t )), where 
t € Uk is the trapdoor and H(t) is the index for the function F(-,H(t)). For 
convenience, we write F t ( •) to denote the function F(-,H(t)), and assume its 
domain being (0, l} k . Given the index H(t), the function F t is easy to compute, 
just by querying the oracle F(-,H(t)). Having the trapdoor t, F t is easy to invert, 
with the help from the oracle G as 


G(F t (x),t) =G(F(x,H(t)),t) 


It remains to show that F t is hard to invert without knowing the trapdoor t. 
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Consider any oracle PPTM Mas an inverter. Without the oracle G, F t is a 
random function and is likely to be one-way, by a standard argument (e.g. HOI). 
The idea is that unless M r can guess the trapdoor t correctly, G is unlikely to 
provide useful information for inverting F t . Formally, for a negligible function 
6(k), we want to upper-bound the probability 

Pr |pr [M r (F t (x),H(t)) = x] > J(jfe)] , 

which by Markov inequality is at most 

Ex [pr [M r (F t (x),H(t)) = *]] /S(k) = P^ [M r {F t (x),H(t)) = x] /6(k). 

We need the following lemma. 

Lemma 1. Pr r , x , t[M r (F t (x), H(t)) = x] < k c 2~ k , for some constant c. 

Proof. Define the following probability event: 

— B\\ M r on input (F t (x). H(t)) queries H on t or G on (*, t). 

We first show that this bad event is unlikely to happen. 

Claim. Prr,x,t[-Bi] < poly{k)2~ k . 

Proof. Note that whether or not M r queries H on t or G on (*, t) does not 
depend on either H(t ) or G(*. t). Instead, it is completely determined by the 
input together with those H{t') and G(*. t') for every t' t. Fix any x. t and 
any restriction To of F that leaves only H(t ) random. Note that G(*. t) is not 
fixed yet as it depends on H(t), but it has no effect on B t . Then whether or 
not B\ happens depends only on the input, because all oracle answers that may 
matter have been fixed. Therefore, 

Pr JBJ = Jx Jljr [ M r °(F(x,H(t)),H(t )) queries H on t or G on (*,()] j 
= Ex^ |pr [ M r (F(x , h), h) queries H on t or G on (*,t)]| 

= Ex^ |^Pr [M r (F(x, h), h) queries H on t or G on (*,f)]J 
< poly(k) 2~ k , 

where the last inequality is because M makes at most poly(k) queries. □ 

Next, we want to show that if the bad event Bi does not happen, M r is 
unlikely to invert the input correctly. We may assume w.o.l.g. that M r always 
uses its output to query F t at the final step before it stops. This does not affect its 
inverting probability, which is bounded above by the probability of the following 
event: 
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— El?'- M r on input ( F t (x),H(t )) queries F t on x. 

So it remains to prove the following claim. 

Claim. Prr.x.t^aH-Si] < poly(k) 2~ k . 

Proof. The proof is very similar to that of Claim [0 by observing the correspon- 
dence between (x,F t ) and ( t,H ). Fix any x, t and any restriction F\ of T that 
leaves only F t (x) random. Again G(*, t ) is not determined yet but it has no effect 
as it is not queried conditioned on - 1 B 1 . Then whether or not M r queries F t on 
x is completely determined by the input, because all oracle answers that may 
matter have been fixed. The rest is similar. □ 

With these two claims, we have 

Pr t [. M r (F t (x),H(t )) = s] < PrJSrl+PjJ^h^l 

< poly(k) 2~ k +poly(k) 2~ k 

< k c 2~ k , 

for some constant c. This completes the proof of Lemma Q] □ 

Let 5(k) = fc c + 2 2~ k and we have 

Pr [Pr [M r (F t (x),H(t)) = x] > *(*:)] < 

Now as Ylk W conver g es 5 the Borel-Cantelli Lemma tells us that with probability 
one over T, Pr x j\M r (F t (x), H(t)) = x] is neghgible for sufficiently large k. There 
are only countably many machines M’s, each of which can only succeed as an 
inverter over a measure zero of T, so we have the following^ 

Lemma 2. Relative to measure one of random r, injective trapdoor functions 
exist. 


3.2 No OWP in r 

In this section we show that no OWP exists relative to T. It was shown in 12011 61 
that no OWP exists relative to an oracle with a VSVAC£-covap\e.te problem and 
some random functions. We proceed by showing that the function G does not 
help us build OWP either. The idea is that it is unlikely to have a valid long input 
(F(x,H(t)),t) without querying F at ( x,H(t )) first. But with x, the answer to 
the query G(F(x, H(t)),t), one can eliminate this application of G. We can see 
the random oracle T as a family of oracles, with each oracle in the family being 
a possible instance of T. 

4 Like previous work on this subject, we only consider uniform adversaries. The anal- 
ysis does not appear to work against non-uniform adversaries, as there are uncount- 
ably many of them. 
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Assume for the contrary that OWP exists relative to F. According to EDI, 
this implies that for any constant 5 > 0, there exists a machine M that computes 
OWP on measure 1—5 of oracles in F. Let F' denote this subset of oracles relative 
to which M is a OWP. We will show that for this M, there is another machine 
N which never queries G but still produces the same outputs for most inputs. 
Then we will show that a good inverter exists for N, which can also inverts M 
well, so M cannot be one-way. 

Consider inputs from {0, 1}". Suppose M’s running time is bounded by n c , for 
some constant c > 2 independent of n. For this constant c, let N be the machine 
that simulates M step by step, keeps track of the queries to F, and answers any 
query to G, say on (u,v), by the following. Look for w with u = F(w. by 

going through previous queries to F or searching the space {0, 1}H/ 3 if |u| < 
3c log n. If such w is found, N answers G(u, v) with it. Otherwise N assumes 
(u,v) an invalid query and answers it with _L. This takes at most polynomial 
time. 

For any input x £ {0, 1}", N(x) ^ M (x) only if M every queries G on 
some valid (u,v) with u longer than 3c log n but not obtained by previous 
queries to F. Then for any fixed random choice of M, N(x') ^ M(x) for at 
most n c 2 clos ”/2 3clogr '' = l/n c < 1/n 2 of oracles in F, and hence for at most 
1/((1 — S)n 2 ) < 2/n 2 of oracles in F', for S < 1/2. Although we can then show 
that relative to most oracles M and N agree on most inputs, but N may not 
be a permutation relative to most oracles. So we can not apply EDI directly to 
invert N, and some modification is needed. First, we can have the following. 

Lemma 3. There are less than 2/n fraction of n-bit strings y such that 
N- 1 ^) ^ M _1 (y) for more than 2/n of oracles in r'. 

Proof. Consider the Boolean matrix A with rows indexed by y £ {0, l} n and 
columns indexed 7 £ F', such that A y i = 1 iff A r_1 (y) ^ M~ l (y) relative to 7. 
For each x £ {0, 1}", N(x) ^ M(x) for at most 2/n 2 of oracles in F', and this 
contributes at most 2 _ "4 /n 2 fraction of l’s to A. As there are 2" different x’s, 
the total fraction of l’s in A is at most 4/n 2 . By the pigeon-hole principle, less 
than 2/n of rows in A have more than 2/n of columns of l’s. □ 

For any y, M _1 (y) is unique relative to any oracle in P' since it is a permu- 
tation. So by Lemma 0 there are more than 1 — 2/n fraction of n-bit strings y 
such that N~ 1 (y) is unique for more than 1 — 2/n of oracles in P', and hence 
for more than 1 — 2/n — 6 > 1 — e of oracles in P, for any constant e > S and 
sufficiently large n. Observe that based on [El, the proofs of Theorem 9.2 and 
9.3 in EDI actually yield the following stronger statement. 

Lemma 4. Assume V = MV . There is a constant X such that for every machine 
N, there exists a machine N' with the following property. For any e < A and for 
any y, if N~ 1 (y) is unique for 1 — e of random oracles, then N'(y) = lV _1 (t/) 
for 1 — \fe of random oracles. 

Then the rest follows closely the proof of Theorem 9.4 in j2D|- Choose 6 < A 
such that there exists e with 5 < e < X and e + < 1. We have V = MV 
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relative to P, so for any n, there are more than 1 ■ 2/n of n-bit string y such 
that we can find W _1 (y) = M^ 1 (y) for more than 1 — yA of oracles in P. By the 
pigeon-hole principle, there are more than 1 — yA of oracles in P relative to which 
we can compute M -1 (y) for more than 1 — 2 /n — yA fraction of n-bit strings y for 
infinitely many n. That is, M is one-way relative to less than yA < 1— e< 1 — 5 
fraction of oracles in P, a contradiction. Thus, with probability one over P, no 
one-way permutation exists relative to P. Together with Lemma |2[ we have the 
following theorem. 

Theorem 1. There is no black-box reduction from OWP to iTDF. 

4 PIR Does Not Imply OWP 

In this section we construct an oracle P relative to which PIR exists but OWP 
does not. Similar to section 0 we add a special function G to an oracle consist- 
ing of a VSV ACE -complete problem and some random functions. The oracle P 
consists of the following. 

- A VSV ACE- complete oracle. 

- A length-tripling random function P(-, •). 

- A random function T : {0, 1}* -> {0, 1}. 

- A family of random functions H = {H k : {0, 1}* -> {0, l} fc |fc £ N}. 

- A family of functions G = {G k \k £ N) defined as follows. 

The idea behind this design is the following. In PIR, User shall use F to 
encrypt her index i as F(i,m), and Server shall call G with F(i,m) and his 
database x to get 

G(x,F(i,m)) = x[i\ ®T(H(x),m), 

an encryption of x[i], which can only be decrypted by User. As in the previous 
section, we will next show that the function G is not useful for a one-party 
primitive, and thus not useful for building OWP. 

Although the oracle P is designed to enable PIR, we stress that the definition 
of P does not depend on any instance of PIR. In P, the functions P, T, H are 
random, and the function G is completely determined by P, T, H. When we want 
to carry out a particular PIR instance, the oracle functions will then be queried 
at some particular places. For example, with database x and index i, G will be 
queried at (x, F(i, m) for a random rn. 

Note that G is a family of functions, but later when we refer to it, we usually 
mean some G k £ G, and similarly for H . G is well defined if F is injective, which 
is not an issue as with probability one, it is so for sufficiently long inputs, and 
we can make G outputs 0 on those short inputs. Call a query (u, v ) to G valid 
if G(u,v) ^ _L. 
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4.1 PIR in 4> 

The following is a 2-pass PIR using the oracle <&, where Server has x £ {0, 1}” 
and User has i £ [n]. Let k be the security parameter. For this parameter, we 
let H denote Hj. and let G denote Gk- 


Server User 

< — a = F(i, m), for m£Uk 
fa = G(x,a),fa = H{x) x[(\ = fa ® T(fa,m) 


The idea is the following. User needs to send her index i to Server in some 
way in order to obtain the bit x[i\. As User does not want Server to learn her 
index i, she would like to have it encrypted. So User chooses a random private 
key m and uses the random function F to encrypt i as F(i,m). Server receives 
F(i, to) but has no idea about i. How can Server send information about x[i] to 
User without explicitly knowing the index i! The function G does the magical 
work, which takes any x together with F(i,m ) and returns the bit 

G(x,F(i,m)) = x[i\ ® T(H(x),m), 

an encryption of x[i]. We want x[i\ encrypted, since otherwise Server may recover 
i by calling G using several different x’s (User’s security will be proved later). 
On the other hand, User has the key m, so after receiving G(x,F(i,m)) and 
H( x), she can query T(H(x),m) and derive 

x[i] = G(x,F(i,m)) ® T(H(x),m). 

The total number of bits sent by Server to User is 
\fa\ + \fa\ = l + k, 

which is okay when n > 1 + k. 

It remains to prove User’s security. Note that Server cannot affect what User 
would send, so whether Server is malicious or not makes no difference on User’s 
security. If Server never queries the function G, the proof is standard as the rest 
of the oracle consists of merely random functions. The idea is that unless Server 
can guess User’s private key m correctly, queries to G are unlikely to provide 
useful information. To see this, assume Server does not know to. The function 
H serves as a random hash and it is unlikely for Server to find distinct x',x" 
such that H(x') = H(x”) due to the large image of H(-), for sufficiently large k. 
Then for a query G(x', F(i, to)), the answer x'[i] ® T(H(x'),m) is likely to look 
random as T(H(x'),m) is likely so, and such a query is unlikely to be useful. 
That is, unless G is queried at ( x',a ) and {x" , a) for such x’,x", G looks like a 
random function too. 

Formally, we show that Server cannot distinguish the messages from User 
having indices i and j respectively. Consider any machine M as a distinguisher. 
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Let S(n) = 2 fc / 4 , a negligible function in n. For any i,j e [n], define AV = 
M <p (F(i,m)) — which is a random variable of ( P. Then 

Ex[A^'] ■= Pr [M 0 (F(i,m)) = 1] - Pr [M*(F(j,m)) = 1]. 


We want to bound the probability 

Pr |^3 i,j : |Ex[A^f]| > <5(n)J < ^Pr [jEx[AJ^']| > 5(n)J 

< X]Ex [(Ex[A«]) 2 ] /$*(»)• 


So we need the following lemma. 

Lemma 5. Vi,j, Ex^[Ex m [(A^]) 2 ] < poly(n)2~ k . 

Proof. Fix any i,j G [n\. Write A TO for A^ and note that Ex<p[(Ex m [A m ]) 2 ] = 
E x < 2 >,m,m'[A TO A m /]. Define the following probability events, with <P. rn, rn' chosen 
randomly: 

— B\: On input F(i,m) or F(j,m), M ,p queries on (*,m) or knows distinct 
x',x" with H(x') = H(x"). 

- B 2 : On input F(i,m') or F(j,m'), M® queries either F(*,m), T(*,to), or 
G(*,F(*,m)). 

These are the bad events, which happen with probability at most poly(n)2~ k . 
Next we show that the expectation of A TO A m i is small if neither bad event 
happens. 

Consider any restriction <Pq of ( P with F(*. rn) and T(*,m) still random but 
the rest fixed. M’s computation is determined by the input and the answers to 
its oracle queries. 

Assume the condition ->Bi. Consider any possible run of M ,p ° (F(i, to)) and 
M^°(F(j,m)), starting with F(i,m) = F(j,m) and then getting same oracle 
answers, up to some query. Assume that now for some x', G(x',F(i,m)) and 
G(x',F(j,m)) are queried respectively, as other oracle answers are fixed under 
<F). The answers x'[i]®T(H(x'),m) and x'[j]®T(H(x'),m ) have the same distri- 
bution as T(H (x') , to) remains free up to this point. By induction, M <p ° ( F(i , m)) 
and M i ’°(F(j,m)) have the same distribution of computations. So given ~<Bi, 
E x* 0 [M*°(F(i,m))] = E x* 0 [M*°(F(j,m))] and Ex^ 0 [A ro ] = 0. 

Consider any to' ^ to. Given ~<B 2 , A TO / is fixed under A 0 as it does not de- 
pend on F( *, to) or T( *, to). Let B = B\ UB 2 . Then given -i B, Ex<p 0 [A m A m i] = 
Exqs 0 [A m ] A m i = 0 for any restriction <Pq. Thus, 

^ Ex ; [A TO A m /|-iS] < Pr ; [to = to'] 

= 2 ~ k , 
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and we have 


^ Ex [A m A m ,] <^Pr [B] + ^ Kx JA^A^h#! 
< poly(n)2~ k . 


□ 

Then, Pr<p[3i, j\ Ex m [A^]| > 6(n.)] < poly(n) 2 -fe / 2 . As 
converges for, say, k = 12 (log 2 n), the Borel-Cantelli Lemma tells us that with 
probability one over ( I\ |Ex m [A^]| < S(n) for any i,j £ [n] for sufficiently 
large n. There are only countably many machines M’s as distinguishes, each 
of which succeeds with measure zero over ( I>. Then with probability one over ( I\ 
Server cannot learn User’s index for sufficiently large n. So we have the following. 


Lemma 6. Our protocol is a PIR relative to measure one of F. 


4.2 No OWP in 

The proof that no OWP exists in <P is almost identical to the one in Section I.T 21 
Assume the contrary that there is a PPTM M, with time bound n c , that com- 
putes a OWP. We construct N by simulating M and replacing any query to 
G at (u. v ) by Y if v is longer than 3c log n and not obtained from a previous 
query to F. If v is obtained from a previous query F(s,t ) or short enough to 
find s,t by exhaustive search, N replace G(u,v ) by u[s] ® T(H(u),t). Then, as 
in Section FOl N has the same output as M does on most inputs, but N can be 
inverted on most inputs. It follows that M is not one-way, a contradiction. So 
we have the following. 

Theorem 2. There is no black-box reduction from OWP to PIR. 

Together with Theorem [3 and previous results, we have the following. 

Corollary 1. There is no black-box reduction from OWP to any of the basic 
primitives, including TDF, PKE, PIR, OT, KA, OWF, PRG, PRF, BC, and 
DS. 
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Abstract. We present a statistically-hiding commitment scheme allow- 
ing commitment to arbitrary size integers, based on any (Abelian) group 
with certain properties, most importantly, that it is hard for the commit- 
ter to compute its order. We also give efficient zero-knowledge protocols 
for proving knowledge of the contents of commitments and for verify- 
ing multiplicative relations over the integers on committed values. The 
scheme can be seen as a generalization, with a slight modification, of the 
earlier scheme of Fujisaki and Okamoto [14]. The reasons we revisit the 
earlier scheme and give some modification to it are as follows: 

— The earlier scheme [14] has some gaps in the proof of soundness of 
the associated protocols, one of which presents a non-trivial prob- 
lem which, to the best of our knowledge, has remained open until 
now. We fill all the gaps here using additional ideas including minor 
modification of the form of a commitment. 

— Although related works such as [8, 3, 10, 4] do not suffer from the 
main problem we solve here, the reason for this is that they use 
“commitments” with a single base (i.e., of form c = g s mod n). Such 
commitments, however, cannot satisfy the standard hiding property 
for commitments, and hence protocols using them cannot in general 
be (honest-verifier) zero-knowledge nor witness indistinguishable. 

— In a computationally convincing proof of knowledge where the prover 
produces the common input (which is the type of protocol we look 
at here), one cannot completely exclude the possibility that a prover 
manages to produce a common input on which he can cheat easily. 
This means that the standard definition of proofs of knowledge can- 
not be satisfied. Therefore we introduce a new definition for computa- 
tionally convincing proofs of knowledge, designed to handle the case 
where the common input is chosen by the (possibly cheating) prover. 

— Our results apply to any group with suitable properties. In particular, 
they apply to a much larger class of RSA moduli than the safe prime 
products proposed in [14] - Potential examples include RSA mod- 
uli, class groups and, with a slight modification, even non-Abelian 
groups. 

Our scheme can replace the earlier one in various other constructions, 
such as the efficient interval proofs of Boudot U and the efficient proofs 
for the product of two safe primes proposed by Camenisch and Michels HI . 

Y. Zheng (Ed.): ASIACRYPT 2002, LNCS 2501, pp. 125- TH21 2002. 
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1 Introduction 

l, 1 Statistically-Hiding Commitment and Associated Protocols 

The notion of commitment is at the heart of many cryptographic protocols. 
The basic functionality one wants from a commitment is that the committer 
may choose in private a secret s from some set S and release some information, 
the commitment to a verifier, such that: even though the scheme is hiding, i.e., 
the verifier cannot compute anything about s from the commitment, it is also 
binding, i.e., the committer cannot change his mind after having committed, but 
he can later open the commitment to reveal s, and convince the verifier that this 
was indeed the original value committed to. 

In many applications, one wants extra functionality from a commitment 
scheme, for instance that the committer can prove in zero-knowledge that he 
knows how to open a given commitment, in particular that he knows the value 
committed to. Also, if S has an algebraic structure, say as a ring or a group, 
it can be very useful to have a multiplication protocol, i.e., a zero-knowledge 
protocol in which the committer can prove that committed values a, b, c satisfy 
ab = c. If S is a ring, one can often, in addition, achieve that from commitments 
to a, b G S, the verifier can compute a commitment to a + b without interacting 
with the committer. 

One example of such a scheme where S = 'LjqL, where q is a prime, is the 
scheme of Pedersen HZi. For the associated protocols and additional examples, 
see 0 . In the vast majority of examples known, the set S is Z / mZ for some 

m, where m may or may not be a prime. A multiplication protocol for such a 
scheme is a protocol by which one can demonstrate that for committed numbers 
a, b, c, ab = c mod m holds. However, there are several important cases where 
what you actually need is something stronger, namely to be able to prove that 
ab = c holds over the integers. One example of this is if you want to show that a 
committed number s is an RSA signature on a given message a w.r.t. public key 

n, 3. What we want to know is that a = s 3 + tn for some t, and this of course 
must be true over the integers and not just modulo m. Of course, one might 
be able to solve this by choosing the commitment scheme such that m = n, 
but this requires that at least you know n at the time the commitment scheme 
was set up, and also a new instance of the commitment scheme for each n. This 
is often unreasonable in practice. There are other ways around the problem, 
see for instance m but the protocols are far from optimal, typically one has 
to resort to “binary cut-and-choose” , which means communication complexity 
at least quadratic in the security parameter. Another example of the need for 
relations over the integers is the efficient zero-knowledge proofs of Boudot 0 for 
demonstrating that a committed number is in a given interval. Here, it is crucial 
for efficiency that one can prove efficiently that committed numbers a, b satisfy 
b= a 2 over the integers. 

It should be clear that what we really need here is an integer commitment 
scheme, that is, a scheme where S = Z (or at least some large finite interval), and 
where there is an efficient multiplication protocol that works over the integers. 
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Here, by efficient, we mean constant round protocols requiring only communica- 
tion linear in the security parameter. 


1.2 The Earlier Scheme with Statistically-Hiding Commitment 

In | l , Okamoto and the second author of this paper presented the first efficient 
integer commitment scheme and also suggested an efficient multiplication pro- 
tocol. The scheme is based on the strong RSA assumption suggested in m- 
However, via private communication, we found some gaps in the proof of sound- 
ness of the associated protocols, one of which we think presents a non-trivial 
problem which, to the best of our knowledge, has remained open until now. 
Later in the paper we give a short explanation of the problem in the proof from 
|OJ . We fill all the gaps here using additional idea including a minor modification 
of the form of a commitment. 


1.3 Other Related Works 

There are several related works inspired by JI3j such as ()|4| . The protocols 
constructed there generally do not suffer from the main problem we mentioned 
above. However, the reason for this is that they use “commitments” with a single 
base, i.e., a commitment to s is of form c = g s mod n. Such a commitment 
does not satisfy the standard hiding property for commitments. For instance, 
if a prover commits twice to the same value, this is immediately visible. Thus 
derived protocols using such commitments are not in general (honest-verifier) 
zero-knowledge nor witness indistinguishable. 

Boudot 0 pointed out another problem in the proof of soundness - In this 
type of protocols (based on a group with a hidden order), the natural protocol 
for showing that one knows how to open a commitment c can in fact only show 
that the prover can open c or — c (a problem that even |Si;timi4j cannot avoid). 
This is not so serious in practice but we suggest a solution to this problem too, 
by changing the way in which commitments are opened. 


1.4 Our Scheme 

In this paper, we present a commitment scheme that may be seen as a gener- 
alization of the Fujisaki-Okamoto scheme. We start with an arbitrary Abelian 
group G, with some basic properties. We assume that the verifier can choose the 
group and publish a description of it that allows anyone to compute the group 
and inversion operations in G. For the RSA case, this amounts to publishing the 
modulus n. The most important extra property we need is that it is hard, given 
the description, to extract the roots of a given random element in G. This is just 
a natural generalization of the strong RSA assumption. Some extra technical 
conditions are needed as well, we detail those later. We then build from this 
an integer commitment scheme, as well as a zero-knowledge protocol for prov- 
ing knowledge of how to open a commitment, and an efficient zero-knowledge 
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multiplication protocol. In order to analyze these protocols, we introduce a new 
definition of computationally convincing proofs of knowledge, designed to handle 
the case where the common input is chosen by the (possibly cheating) prover. 
Our analysis is done in the exact security setting. 

If we specialize to the case where G = (Z/nZ) x for an RSA modulus n, we 
obtain - modulo some technical changes - the commitment scheme of Fujisaki and 
Okamoto, in particular we get what appears to be the first secure multiplication 
protocol for this type of scheme. In addition, the conditions we need on G turn 
out to translate into conditions on n that are much milder than those needed 
in the original paper PI namely that n = pq is a safe prime product. We only 
need that gcd(p — 1, q — 1) = 2 and p—l.q—\ don’t have too many small prime 
factors (whose precise description follows below). Finally, our construction is 
applicable to groups other than RSA, for instance class groups. Here, it should 
be noted that finding roots in a class group seems to require finding the order 
of the group, and this problem is known to be at least as hard as factoring, and 
may in fact be harder. 

Our commitment scheme and protocols are not exactly the same as those 
of j I . even when specialized to G = (Z/nZ) x . However, with some minor 
technical changes of the commitment scheme in one can give correct proofs 
for soundness of their protocols following the ideas we give here. However, our 
protocols are slightly more efficient than those of PI- 

There are several variants for our protocols that we do not explain here due 
to space limitations, except for a few extensions given in Appendix ITU 

2 Model 

As usual, probability e{k) will be called negligible if for all polynomials /(•), we 
have e(k) < l/f(k) for all large enough k. On the other hand, 1 — e(k) will be 
called overwhelming if e(k) is negligible. Also, we say e(k) is significant if for 
some polynomial f(k), we have e(k) > 1 / f{k) for all large enough k. 

Suppose now that we are given a probabilistic polynomial time algorithm Q 
which on input l fc outputs a description descr(G) of a finite Abelian group G, 
where we assume one can efficiently verify from descr(G) that it actually specifies 
such a group. The algorithm may also output some side information, such as the 
order of G, or the prime factorization of the order; it may even be possible to 
ensure that the order of the group satisfies certain conditions. An example of 
such a G is an RSA key generation algorithm - in this case it is indeed possible 
to generate a group with known and controlled order. 

Given descr(G), we assume that one can compute efficiently some estimates 
on the order, 2 A < ord(G) < 2 s , where A and B are polynomial in k. We 
also assume that elements can be sampled randomly from the group and that 
inversion and group operation can be computed efficiently. 

In order for our protocols to work, we need, loosely speaking, that it is hard 
to find non-trivial roots of elements in G. Furthermore, we need a condition 
on the structure of G’s output by Q. Loosely speaking, we need that G has a 
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large subgroup with only large prime factors in its order. To make this more 
precise, we assume that two functions are associated with Q\ G(-), !(•), that map 
positive integers to positive integers. Typically, C(k ) is super-polynomially large 
as a function of k, whereas l(k) is always a polynomial. For any G produced 
by Q on input l fc , we will consider primes greater that C(k) as being “large”. 
By the structure theorem for Abelian groups, we can always write G = U x H, 
where the order of H has only prime factors larger than C(k), and the order of 
U has only primes factors at most C(k). We say \H\ is G(fc)-rough, as opposed 
to being C(/c)-smooth, which means a number has only prime factors less than 
C(k). Thus Ig ■= \U\ is C(/c)-smooth. 

We are now ready to state our assumptions about groups output by Q: 

Group Assumption. For any G generated by Q on input l fe the following hold: 

1. Write G = U x H as above, with G{ k) -smooth, l G = \U\ and G(fc)-rough 
\H\. Then Ig < l(k ) and descr(G) includes lc- 

2. For any string Y, when given descr(G), it can be decided in (determin- 
istic) polynomial-time in k whether Y represents an element in G. 

Root Assumption. Let A be a probabilistic algorithm. We run Q on input 
l fc to get descr(G). We give descr(G) and a random Y £ G as an input to 
A. We say that A solves the root problem if A outputs an integer e(> 1), 
X £ G, and fj, £ U such that Y = /iX e (where fi £ U can be verified by 
checking that fi la = 1 £ G). In particular, we say that the root problem is 
(t(k), e(A;))-secure if for k, any adversary A that runs in time at most t(k), 
solves the root problem with probability of at most e(k). The probability is 
taken over the coin tosses of Q and A, as well as the random choice in G. 

Some remarks on the assumptions: 

The condition that Ig < l(k) says that G has many elements with only 
large prime factors in their orders: If Y is chosen randomly in G, then there 
is a significant probability, 1 /l(k), that the order of Y is G(fc)-rough. We want 
to stress that it is essentially important that membership in G can be decided 
efficiently - although this property is often ignored and forgotten, this was one 
reason why proofs of soundness for the earlier protocols suggested in Q3| were 
incomplete. We will assume throughout that when a party receives an element 
that is supposed to be in G, membership in G is always checked. 

The assumption that Iq is known and is part of the description can be re- 
moved, if in the protocols to follow, one replaces exponentiations to the power 
Ig by exponentiations to l(k)\. The price is loss of efficiency, since l(k)\ ~ 
V2jrl(k) l ( k ) +1 / 2 e- l W l G _ However, the cost to exponentiate to power l(k)\ 
is still polynomial in k. 

The second assumption is a generalization of the strong RSA assumption - 
we require that extracting non-trivial roots is hard, even if one is allowed to 
multiply the input by an element of relatively small known order. We may think 
of this as root extraction in a factor group: when the adversary algorithm gets 
an input element Y, this represents an element Y in the quotient group G/U, 
and the adversary’s task actually is to extract a non-trivial (e’th) root of Y in 
G/U. He must, however, demonstrate that his answer when raised to the e’th 
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power represents the same element as does Y. We require he does this by also 
producing p. 

If we specialize to the RSA case, i.e., G = (Z/nZ) x for an RSA modulus 
n, it may seem that the root assumption as we defined it here would make an 
even stronger requirement than the standard strong RSA assumption |2IT2| - 
since the adversary in our case is given l G and does not have to find a root of 
Y, but of pY for any p £ U . This is not the case, however. We now show that 
RSA moduli can be constructed such that our assumptions are satisfied for these 
groups, based only on the strong RSA assumption in its standard form. Suppose 
we make a A-bit modulus n = pq such that gcd(p — \,q— \) — 2. We choose C(k) 
as some super-polynomial function much less than 2 k , for instance C(k) = 2 fc / 10 , 
and we set l(k) = k. We construct p. q such that the factor of (p — 1) (q — 1) with 
prime factors less than C(k) is in 0{k) (this factor is l G , where G = ( Z/nZ ) x 
). We then set G = (7j/nL)* and descr(G) = {n,l G }. Now, the root assumption 
(in its asymptotic form) turns out to be equivalent to the standard strong RSA 
assumption. First note that it makes little difference whether l G is known since it 
can be guessed with significant probability. Then suppose algorithm A on input 
Y, n, l G finds X, e, p such that Y = pX e , p la = 1. Now, if there is non-negligible 
probability that p ^ ±1, we can use p,l G to factor n, namely we first factor 
l G and then we can find an element p of known prime order .s. If s — 2, p is a 
non-trivial square root of 1 and gcd(p — l,n) is a factor in n. But if s is odd, 
it cannot divide both p — 1 and q — 1 and therefore p must be congruent to 
1 modulo one of p or q and be different from 1 modulo the other. Hence, also 
in this case, gcd (p — l,n) is a non-trivial factor of n. On the other hand, if 
p = ±1 with non-negligible probability, we can solve the strong RSA problem: 
given input h € (Z/nZ) x , we choose a random bit b and give (— 1 ) b h as input to 
A. Since A receives the same input distribution as usual, it outputs a non-trivial 
root of (— l) b Y or — (— l) b Y with good probability. Since A’s choice of the sign 
cannot be correlated to our choice of b, we obtain a root of Y with non-negligible 
probability. 

Note that a special case of this construction of n is when n = pq is a safe 
prime product, i.e., (p— 1)/2, (q— 1)/2 are primes, but evidently the construction 
covers a much larger class of moduli. 

3 Some Definitions 

We will often use the concepts of zero-knowledge and computational/statistical 
indistinguishability. For definitions of these, refer to HE!- The definitions below 
are all in the exact security style. It is straightforward to derive asymptotic type 
definitions from the exact-security style ones. 

We then define the type of commitment scheme we will look at. Our commit- 
ments will be statistically (unconditionally) hiding and computationally binding. 
Concretely, a commitment scheme consists of a probabilistic polynomial time 
key generator H, which on input l k outputs a public key pk and a witness w. 
We let L h be the set of public keys that H can produce as an output, w is 
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an NP- witness to the fact that pk £ L H . The scheme also defines an algorithm 
commit that takes as inputs pk, a string s to be committed to, and a random 
string r, both of lengths that are fixed polynomials in k. The output is a com- 
mitment to s, commitpfc(s,r) and a string u. Finally we have an algorithm verify 
that takes inputs pk, commitment c, and strings s, u, where the output (denoted 
verify pk {c,s,u)) is accept or reject. 

Such a scheme can be used by a committer C and a receiver R as follows: 
in the set-up phase, R runs H to get pk, w, sends pk and uses w to give a zero- 
knowledge interactive proof (El that pk £ Lh ■ C can commit to s by running 
commit on pk, s and random input r, sending c = commit p fc(s, r) to R and 
keeping r secret. Opening takes place by revealing s, r to R, who can then check 
that verify pfc (c, s,r) = accept. 

We then require the following: 

Hiding: For pk £ Lh, uniform r, r' and any s, s', we have that the distributions 
of commitpfc {s,r) and commitp^s', r') are (statistically) indistinguishable (as 
defined in [TTi) '). 

Binding: We say that binding is (t(k),e(k))- secure if it holds that for any C 
running in time at most t(k), the probability that C on input pk computes 
s,r,s',r' such that commit p fe(s, r) = commit p fc(s',r') and s ^ s', is at most 
e(k). 

We will also need to consider proofs of knowledge in the following. For this, 
we use a modification of the definition of Bellare and Goldreich, in the version 
for computationally convincing proofs of knowledge 0. Let a binary relation R 
be given, where a prover P and a verifier V are both probabilistic polynomial 
time interactive Turing machines. Intuitively, the prover’s claim is that for a 
given common input c, he knows w such that (c, w) £ R. 

To define this in our setting, we cannot use the original definition in 0 
without change. This is because it asks that the soundness of the protocol holds 
for all (large enough) instances c. In our scheme, this is more than we can 
reasonably ask for: in our case, one may think of c as a commitment and w as 
the string P can use to open c. Furthermore, the scenario is that P sees the public 
key of the scheme, produces the commitment and then tries to prove he knows 
how to open it. But this proof is only computationally convincing in our case, so 
a cheating prover may have some chance of producing, based on the public key, a 
commitment he cannot open, but where the proof nevertheless is successful with 
large probability. This can typically happen if the prover manages to compute 
some trapdoor information associated with the public key. This information 
can always be guessed with non-zero probability and so the problem cannot be 
completely avoided, but we can at least require that it occurs with only small 
probability. In our definition of soundness, therefore, we first let the prover see 
a public piece of information, he then produces c and conducts the proof. A 
cheating prover P* wins if the standard soundness requirement fails for this c, 
and we are satisfied with the proof system if within some time bound P* can 
only win with some bounded (small) probability. 
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For the above definition we need to consider a relation generator , algorithm 
R, that takes l k as an input and produces as an output a description of a binary 
relation R. By this we mean a string containing information is sufficient to sample 
efficiently random pairs (c, w) £ R and to test membership in R efficiently. We 
will use R to denote both this description and the relation itself. For instance, 
R might be the key generator for a commitment scheme, and we can think of 
the public key pk as defining a relation consisting of pairs (c, (s, r)) for which 
verify (c, s, r) = accept. 

A prover in our setting is a machine P who gets R as an input, outputs a 
string c and finally conducts the interactive proof with a verifier V using R, c 
as common input. For convenience, we want to be able to refer to P’s strategy 
when executing the proof as a separate machine. Therefore, from P we define 
a machine P v i ew which starts in the state P is in after having seen view view 
and having produced c. P v i ew then conducts the protocol with V following P’s 
algorithm. The view view contains all inputs, messages exchanged and random 
coins so in particular c is determined by view. Note that the distribution of view 
is taken over the random coins of both P and R. We let e v i ew ,p be the probability 
with which P v i ew makes V accept, i.e. e v i ew ,p is P’s probability to make V accept, 
conditioned on view. 

An extractor will be a machine M that gets R, c as an input, has black-box 
access to P v i ew for some view consistent with c. and computes a witness w such 
that (c, w) £ R. The intuition is that the prover “knows” w if we can use M to 
extract it from him. To measure this, we need a knowledge error function k(). 
Intuitively, n(k) is the probability that the prover can cheat on input generated 
from security parameter value k, i.e., make V accept while knowing nothing 
about w. 


Definition 1. For some given cheating prover P* , extractor M and polynomial 
pQ, we say M fails on view view if e view> p* > n{k), if the expected running time 
of M using PJj ew as oracle, is greater than — — ■ 


This definition is motivated by the fact that the standard knowledge soundness 
requirement from |B| says that the extractor must run in expected time at most 
the bound in the definition. Note that in any situation where P* has produced c 
having seen view, it is well defined whether M fails or not. Intuitively, one may 
think of this as saying that if M does not fail in a given situation, then P* really 
“must know” a witness for c, in order to make V accept with a probability better 
than n(k). 


Definition 2. Let R be a probabilistic polynomial time relation generator, and 
let a protocol (P,V), a knowledge extractor M, polynomial pQ and knowledge 
error function k() be given. Consider the following experiment with input k: 
R := R(l k ),c := P*(R) (this defines view view,). We define the advantage of 
P* , Adv Ki M lP (P*, k) as the probability that M fails on the view generated by this 
experiment. This probability is taken over the random coins of R, P* . 


Finally, for a relation R, we let, as usual, L R = {c| Bw : ( c,w ) £ R}. We are 
now ready to define computationally convincing proofs of knowledge: 
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Definition 3. Let 1Z be a probabilistic polynomial time relation generator. We 
say that ( P , V ) is a computationally convincing proof of knowledge for 1Z, with 
knowledge error k(), failure probability uQ and time bound t(), if the following 
hold: 

Knowledge Completeness. The honest prover P receives R <— 7Z(l k ), pro- 
duces (c, w) £ R, sends ctoV and finally conducts the protocol with V, who 
accepts with overwhelming probability in k. 

Knowledge Soundness. There exists a polynomial p() and an extractor M, 
such that for all provers P* running in time at most t(k), Ad v K) m AP*,k)< 
v{k). 

4 The Commitment Scheme 

Based on the above model, the goal is to make a commitment scheme with 
protocols to verify various claims on committed values. The basic scheme is that 
the verifier V (the receiver of commitments) will run Q and send descr(G) (and 
more information to be described later) to the prover P (the committer). 

Set-Up. V runs Q(l k ) and chooses a random element h £ G, such that ord(/i) 
is G(fc)-rougli (this can be done by raising a random element to power Iq). 
Now V sets g = h a , where a. is randomly chosen in [0..2 2B+fc ]. V sends 
descr(G), <?, htoP and proves that g £ (h), by the standard zero-knowledge 
discrete log protocol with binary challenges: in one iteration of this, V sends 
a= h R for a random R £ [0..2 2B+2fc ]. P selects a random bit b, and V replies 
with z = R + ba. P checks that h z = ag b . Repeating this k times results 
in a soundness error of 2 _fe , and the protocol is easily seen to be statistical 
zero-knowledge. This is not a very efficient solution, but it only needs to be 
done once and only in the set-up phase. 

Commit. To commit to an integer x, P chooses r at random in [0..2 s+fc ], sends 
c = g x h r to V, and stores x, r for later use. 

Open. To open a commitment, P must send x,r,p such that c = pg x h r and 
pf G = 1. An honest prover can always use fi = 1. Although this gives a dis- 
honest prover extra freedom, this in no way makes the commitment scheme 
weaker: the binding property still holds, as we argue below. Indeed, recalling 
our comments on the root assumption, one may think of the scheme as taking 
place in the quotient group G/U where U is the subgroup in G consisting of 
all elements of C-smootli order. From this point of view, the opening condi- 
tion simply ensures that the prover opens something representing the same 
element as c in G/U (The quotient group is defined canonically so that c = c 
(mod U) iff there is a p £ U such that c = pc £ G). 

As for hiding, note that P verifies initially that g £ (h). Hence, since r is 
chosen with bit length at least fc + log 2 (ord(/i)), c is statistically close to uniform 
in (h), for any value of x. 

As for binding, we consider any prover P* who can create c and the corre- 
sponding valid distinct openings, (/j,,x,r) and (//, x', r'). It follows that we get 
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Hg x h r = c = n'g x h r . Recall that V creates g as g = h a . Plugging this in and 
raising both sides of the equation to la, we get that fi l 2 3 G(a(x-x')+{r-r )) _ \y e 
can write a = q ■ ord(/i) + res for integers q,res with 0 < res < ord (h). Then 
from P*’s point of view, res is uniquely determined from g, whereas there is an 
exponentially small amount of information on q (the only source of information 
is the proof that g £ (h) which is statistical zero-knowledge). So P*’s choice of 
x,x',r,r' is (almost) independent of q. It follows l(a(x — x') + (r — r')) = 0 (as 
an integer) with probability exponentially small in k. Assuming this number is 
indeed non-zero, ord(/i) must divide M := a(x — x') + (r — r') (since the order 
is C'(fc)-rough). 

We can now use P* to break the root assumption as follows: given input 
descr(G), h £ G, we choose g as V would have done it, send descr (G),h,g to 
P* and execute in the normal way the proof that g £ (h). With probability 
of at least 1 /l(k), h will have C(fc)-rougli order and everything has the same 
distribution as in a normal execution of the commitment scheme. Given that 
P* breaks the binding property as described above, this allows us (except with 
negligible probability) to compute M, a multiple of the order of h. Now choose 
any t that is relatively prime to M and output hf mod M and t. 

Summarizing, we have: 

Theorem 1. Under the root assumption, the above scheme is an unconditionally 
hiding and computationally binding commitment scheme. If the root assumption 
is (t(k),e(k)) -secure, then the binding property is (t{k), ) -secure for some 

constant 7. 

5 Associated Protocols 

5.1 Proving You Know How to Open 

The following protocol can be used by P to show that he can open a given 
commitment c = g x h r . 

We will assume that x is in [— T..T] where T(> 0) is a public constant. T can 
be chosen arbitrarily large, and is only used to control the size of the prover’s 
random choices, this allows an honest prover to ensure that the protocol hides 
the value of x, whenever — T < x < T. In any application of the scheme, one 
simply chooses T large enough to accommodate any choice of x an honest prover 
would need to make in the given scenario. The protocol guarantees an honest 
verifier that -TC(k)( 2 k + 2) < x < TC{k)(2 k + 2). To prove x is in some other 
(smaller) interval, other techniques exist, see e.g. Pj. 

1. P chooses y £ [O..TC(k)2 k [, s £ [O..G(k)2 B+2k [ at random and sends d = 
g v h s to V. 

2. V chooses at random e £ [O..C(fc)[ and sends to P. 

3. P sends u = y + ex,v = s + er £ Z. V checks that g u h v = dc e and that 
[—TC(k)..TC(k)(2 k + 1)]. 
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Define a relation generator 1Z as follows: run G(l k ) to get G, choose h £ H 
with (7(fc)-rough order, set g = h a and output descr (G),g,h. Then define the 
relation R = {(c, (p, x, r))| c,b e G, c = pg x h r ,p} G = 1,® 6 [— TC(k)(2 k + 
2)..TC(k)(2 k + 2)]}. 


We now analyze to what extent the protocol above satisfies our definition of 
knowledge soundness, in particular for which knowledge error functions is the 
definition satisfied. Accordingly, let k() be any knowledge error function, such 
that n(k) > 4/C(k) for all k. We then must define an extractor M. Let a poly- 
nomial time prover P* be given and let view be any view P* may have after 
having produced a commitment c. Now, it can be shown that since there are 
C(k ) different challenges, then if e v i ew ,p* > K (k) > 4 /C(k), standard rewinding 
techniques allow us to obtain in expected polynomial time a situation where, for 
a given d, P* has correctly answered two different values e and e' with numbers 
u, v and u' . v\ so we get g u ~ u h v ~ v = c e-e . Let Rewind be a (probabilistic) pro- 
cedure that creates e,e',u,v,u',v' in this way. A concrete algorithm for Rewind 
is given in Appendix E] It runs in expected time 56/e v i ew ,p*, counting the time 
to do the protocol once with P* as one steiQ. 

Assume without loss of generality that e > e' and suppose that (e— e') divides 
both (u — u') and (v — v'). We now see that the element p = g «-«' c -1 

satisfies that p e ~ e = 1. Since e — e' < C(k), it follows that ord(/i) is C(k)- 
smooth so that p la = 1. So c can be correctly opened by sending (u — u')/(e — 
e'), (v — v')/{e — e') , /x. Moreover, F’s check on the size of u. u' implies that 
(u — v!) /(e — e') is in the required interval. A set of values e, e', u. u' , v, v' is said 
to be bad if e — e! does not divide both u — v! and v — v'. The extractor M simply 
repeats calling Rewind (for this same c) until it gets a set of good values. We 
will analyze knowledge soundness with this M and the polynomial p(k ) from the 
definition set to the constant of 112. We start with a lemma that gives an exact 
bound on the security. 


Lemma 1. LetIZ, (P. V). k, M and p() be as defined above. Given any prover 
P* , there exists an algorithm A(P*) that solves the root problem defined byG(l k ) 
with probability Adv *’^’^ P ,fc ^ ifk> 6, and runs in time 448 ■ tp * ( k ) / n(k) where 
tp*(k) denotes the running time of P* ( 1 /l(k) is an lower bound on the proba- 
bility that a random element in G has C(k)-rough order ). 


Proof. The algorithm claimed does the following: receive G , h as an input. Set 
g = h a for random a G [0..2 2B+fc ]. We send g,h to the adversary, call Rewind 
and hope that we get get a set of bad values. However, we will only allow Rewind 
to do the protocol with the prover at most 448 / n(k) times. If Rewind runs longer 
than this, we abort it and stop. If we obtained a set of bad values, we attempt 
to compute a root of h as described below. 

1 Note that this is not completely trivial, as P* is probabilistic: although its average 
success probability is e v iew,p*, it may not be equally successful for all choices of 
random coins. It is essential to get the claimed expected time that e v iew,p* > 4 /C[k), 
and not just > 1/C(k) 
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It is immediately clear that this algorithm has the claimed running time. 
We now look at the success probability. We will assume that h has Cffcj-rougli 
order. Since this happens with probability of at least l/l(k), it is enough to show 
that the success probability under this assumption is at least the bound claimed 
times l(k). 

Note that the distribution of G, h. g that P* receives here is exactly the same 
as in the real commitment scheme. Hence the probability of producing a view 
for which M fails, is exactly Adv K> M, P (-P*, k). Note also that given any view view 
where M fails, it must be the case that the values produced by Rewind are bad 
with probability of at least 1/2. If this was not the case, then M could expect 
to find a way to open c after calling Rewind twice, which takes expected time 
112/e„j e «j,p* < p(k)/(c v i eWt p » — n(k)) so this would contradict the fact that M 
fails on view. So let E be the event that M fails on view and Rewind has returned 
a set of bad values. We now make the following 

Claim: Given that E occurs, we can solve the root problem with probability of 
at least 1/2 — 2~ k . 

To see this, recall that Rewind returns e, e' ,u, u',v, v' such that g u ~ u h v ~ v = 
c e ~ e ' , and we have that e — e' does not divide both u — u' and v — v' . If we plug 
in that g = h a , we get 

h a (u-u )+v-v — c e-e 

We then split in two cases: 

Case 1: e — e' does not divide a(u — u') + (v — v'). 

In this case, let /3 = gcd(e — e', a(u — u') + (v — v')) (where by assumption 
(3 < e — e' < C(k)). Choose 7 , 5 such that 

7 (e - e') + 6(a(u - v!) + (u - v')) = (3 


We then get that 

h? = h 'y(e-e') +S (. a (u-u')Hv-v')) = 

If we set fi = (/i 7 c' 5 ) (e_e, )/ /3 /i _1 , it is clear that pP = 1, so since (3 < C(k), 
ord(/i) is (7(fc)-smooth so that jj lcj = 1. Furthermore 

hfi = (h?c s f e - e 'VP 

So in this case, we may output ff'c 8 , (e — e') j [3, fi, which is a solution to the 
root problem as we defined it earlier. 

Case 2: e — e' divides a(u — u') + (v — v'). 

Note that even in this case, we still have that e—e' does not divide both u—u' 
and v — v' . The goal will be to show that since the adversary does not know 
full information about our choice of a , this case happens with probability at 
most (1/2 — 2~ k ), given that E occurs. Hence the previous case where we 
could solve the root problem happens with large probability, given E. Let q 
be some prime factor in e — e! such that q J is the maximal (/-power dividing 
e — e', and at least one of u — u',v — v' are non-zero modulo q 3 (such a q 
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must exist since e — e' does not divide both of u — u' . v — v'). Note that if q 3 
divides u—u', it would have to divide v — v' as well, which is a contradiction. 
So u — u' ^ 0 mod qi . We can then write a = y + z ■ ord (ft), where y = 
a mod ord (ft). Note that g represents all information the adversary has about 
a and y is uniquely determined from g , whereas z is completely unknown. 
Now, if indeed q 3 divides a(u — u') + (v — v'), we have 

a(u — u') + (v — v') = z(u — u')ord(ft) + y(u — v!) + (v — vf) = 0 mod q 3 

Note that since q < C{k) we have ord (ft) ^ 0 mod q. Now, from the adver- 
sary’s point of view, z is chosen uniformly among at least 2 n+k values, and 
must satisfy the above equation in order for the bad case to occur. The num- 
ber of solutions modulo q j of this equation is at most gcd {{u — u’ ) ord ( h) , q 3 ) . 
This number is a power of q, but is at most q 3 ~ 1 . Then, since 2 B+k is larger 
than q 3 by a factor of at least 2 fc , it follows that the distribution of z mod q 3 
is statistically close to uniform in Z/gdZ. In fact, the probability that z sat- 
isfies the equation is at most l/q — 2~ k < 1/2 — 2~ k . The claim above now 
follows. 

Summarizing, we therefore have that for every view view where M fails, 
running Rewind will fail to solve the root problem with probability at most 
1 — (1/2 — 2~ k )/2 = 3/4 + 2 *' The expected number of executions of P* 
needed to run rewind is at most 56/e„j e u;,p* < 56 /n(k). Thus Rewind is allowed 
to run for at least 8 times its expected running time, and so by the Markov rule 
it will run for longer with probability at most 1/8. Since the probability that 
view is bad in the first place is Adv K) M,p(-P*, k), the success probability of A(P*) 
is Adv KiMlP (P*, fc)(l - 1/8 - 3/4 - 2~ k ~ 1 ) > Ad\/ K , M , P ( p *, k )/ 9 if k > 6. This 
finishes the proof. 

Next we have: 

Theorem 2. If the root assumption is ( t'(k ), e(k))-secure, the above protocol is a 
computationally convincing proof of knowledge for 1 Z with knowledge error n{k), 
time bound t(k) and failure probability v(k), where v{k) = 9 e(k)l(k), t(k) < 
t'(k)/ 448 and n{k) = max(4/C l (ft),448t(fc)/t / (ft)). If —T < x < T (as it will 
be when the prover is honest), the protocol is honest verifier statistical zero- 
knowledge. 

Remark 1. There are a number of known techniques by which a protocol that 
is zero-knowledge in general can be constructed from an honest verifier zero- 
knowledge protocol. 

Remark 2. Note that a prover playing against the commitment scheme as defined 
above will see both the public key pk and a zero-knowledge proof from V that 
pk was correctly chosen, whereas a prover in the proof of knowledge definition 
only sees the public key. This makes no difference, however, since the proof is 
statistical zero-knowledge and could always be simulated. 
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Proof. Completeness of this protocol is clear. It is honest verifier statistical 
zero-knowledge: to simulate we can choose at random u £ [Q..TC(k)2 k [, v £ 
[O..C(k)2 B+2k [, e £ [O..C(fc)[ and set d = g u h v . The rest follows immediately 
from the preceeding lemma. 

5.2 A Multiplication Protocol 

Using techniques similar to those above, we can also get a protocol for proving 
that three given commitments ci, C 2 , C 3 contain numbers x\, x 2 . as ' 3 such that x 3 = 
XiX- 2 - We assume that Cj = g Xi h ri , and as before that the xfs are numerically 
smaller than T. Note that then we have C 3 = cf 2 h r3 ~ X2ri , i.e., using c\ as the 
“base element” for the commitment C 3 , it will contain the same value as does C 2 
using g as base. So if the prover can convince us of this and also that he can open 
ci, it will follow that x 3 = x\x 2 . This is the idea behind the protocol below: 

1. P chooses at random y 1 ,y £ [O..C(k)T2 k [,si,s 2 € [O..C(k)2 B+2k [, s 3 £ 
[O..C'(fc)T2 B+2fe [ and sends di = g Vl h Sl ,d 2 = g y h S2 ,d 3 = c\h S3 to V. 

2. V chooses at random e between 0 and C(k ) and sends to P. 

3. P sends u\ = y\ + ex\ ,u = y + ex 2 ,v\ = si + eri,W 2 = s 2 + er 2 and 
v 3 = S 3 T e(r 3 — x 2 rf). V checks that g Ul h Vl = d\c\, g u h V2 = d 2 c 2 , and 
c\ h V:i = d 3 c%. 

Define a relation generator 7£ mu | t as follows: run Q( l k ) to get G, choose 
h £ G with (7(fc)-rough order, set g = h a and output descr(G), c/, h. Then define 
the relation i? mu | t = {((ci, c 2 , c 3 ), (x 1 ,ri,b 1 ,x 2 ,r 2 ,b 2 ,x 3 ,r 3 ,b 3 )) \ Ci,bi £ G, 
G = k L i 9 Xi h ri ,y\ = 1, *=1,2, 3}. This leads to: 

Theorem 3. If the root assumption is (t'{k),e(k))- secure, the above protocol 
is a computationally convincing proof of knowledge for 1Z with knowledge error 
k ( k), time bound t{k ) and failure probability v(k), where v(k) = 9 e(k)l(k), t(k ) < 
t'(k)/44 8 and n(k) = max(4/G(fc),448t(fc)/t , (fc)). If —T < x\,x 2 ,x 3 < T (as 
they will be when the prover is honest), the protocol is honest verifier statistical 
zero-knowledge. 

For the space limitation, we omit the proof, which can be easily derived from 
the proof of Theorem [3 

6 What Is the Major Difference from the Earlier Proof 
in HH? 

For completeness, we briefly indicate here what is mainly different from the 
earlier work plj in terms of the proof of soundness. As mentioned above, the 
main gap we fill here does not appear in the proofs in related works I ( 141] . 

This is because the gap only appears in the proofs for protocols associated with 
commitment using plural bases (i.e., c = g s h r such as in P3j). 

These protocols suggested in (Hj are very similar to the ones we suggest here, 
in particular they have the same 3-move form, with a challenge e from the verifier 
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as the second message. So P| uses a rewinding argument as we do here, to obtain 
correct answers from the prover to challenges e, e' . However, a problem occurs in 
the last part of the proof, which corresponds to the last case in our analysis, that 
is, Case 2: “(e — e') divides cx(u-u') + (v — v')" . Translated into our notation, we 
have now (e — e'), u — u', and v — v' such that )+(«-« ) _ c e-e . if e _ e ' 

divides both of (u — u') and (v — v'), we are essentially done since we then have 
c = fig( u ~ w )/( e-e ^h^ v ~ v )/( e_e< ) where p e ~ e> = 1. In the earlier work P|, it is 
claimed that the adversary can make Case 2 occur only with negligible probability 
unless e — e' divides both of (u — u') and (v — v'), because he doesn’t have enough 
information about a, where g = h a . However, if e — e! is a small number, then 
this case may in fact happen with significant probability, even without e — e' 
dividing both u—u' and v — v'. This problem was not taken into account in HU. 
Later in the full paper version of HI, it was shown that when the knowledge 
extractor rewinds P* and makes him output e, e', it only happens with negligible 
probability that e — e! is small, see Uni However, even if e — e! is large, there is 
still a problem: if e — e' has a small prime factor p, there may be a significant 
probability that p divides a(u — u') + (v — v') whereas it does not divide both 
u — u' and v — v’. The additional idea we provide here essentially fills this gap, 
and indeed seems necessary for this type of proof to go through. 

As for fiSI-ilH14j . what corresponds to Case 2 is the event “(e — e') divides 
(u — u')”; there is no gap to go to c = pg ( - u ~ u )/( e-e ), where p e ~ e = 1. Hence, 
the related works above do not suffer from the problem we need to consider. 


7 Applying the Scheme in Class Groups and Beyond 

We do not give any detailed introduction to class groups here - or more precisely, 
class groups of quadratic number fields. It is enough to know, that each such 
group is defined by a single number, the discriminant A. Given this number, 
one can choose elements in the group and compute the group and inversion 
operations. Finding the order of the class group (the class number) from A 
appears to be a hard problem, and is at least as hard as factoring A (if A is 
composite). Therefore, root extraction also appears to be a hard problem, and 
it seems reasonable to conjecture that if A is chosen randomly from a large set 
of values, then the class number will contain large and random prime factors, 
and will not have a very large factor consisting of only small primes. Various 
heuristics (but no proofs) supporting this are known. All of this together makes 
it a reasonable conjecture that class groups constructed from large, random 
discriminants would satisfy the assumptions we made in the beginning, for some 
appropriate choice of (7(fc)0. 

There is one difficulty, however: we have assumed that G can be generated 
such that Iq, the order of the subgroup U of C(fc)-smooth elements is known. 
Unfortunately, there is no known way to do this for class groups. 

2 There are some heuristics known that describe how the factorization of a class num- 
ber can be expected to behave, C(k) should be chosen with this in mind. 
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One way to solve this is to observe that we have only used Iq in order to 
verify membership in U. So we can do the following: assume we can choose C(k) 
and l(k ) such that C(k) > l(k ) and (as usual) such that l{k) is a polynomial and 
the order of U is less than l(k). Now we replace la in all descriptions and proofs 
by l(k)\. This works because l(k)l is guaranteed to be a multiple of Iq and all 
its prime factors are at most l(k), and so are less than C(k). 

Another possibility is to rely on an additional intractability assumption, 
namely that given descr(G), it is hard to find a non-trivial element in U. This 
seems to be a reasonable assumption in many settings: indeed U is an extremely 
small subgroup, so a random choice will succeed with negligible probability. 
Moreover, in the case of class groups with a composite discriminant, finding an 
element of order 2 is equivalent to factoring the discriminant. With this assump- 
tion, all the cases where we needed to know Ig occur with negligible probability, 
and can be ignored. 
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A The Rewind Procedure 

We are given a prover P* who sends a message d, receives a challenge chosen 
randomly among C possibilities, and returns an answer z that may or may not 
be correct. We are given that the probability of a correct answer taken over P* 
coins and the choice of e is at least e > A/C. We want to find correct answers to 
two different e-values for a given d as efficiently as possible. 

Of course, the idea is to run the prover, and use rewinding to try to make 
him answer two different challenges correctly. But to run him, we need to supply 
random coins. Although we know that the average success probability is e, we do 
not know that P* is equally successful with any random input. To get a better 
view of this, let H be a matrix with a row for each possible set of random coins 
for P*, and one column for each possible challenge value. Write 1 in an entry if 
P* answers correctly with the corresponding random choices and challenge, and 
0 otherwise. Using P* as black-box, we can probe any entry we want in H, and 
our goal can be rephrased to: find two l’s in the same row. What we know is 
that the e equals the fraction of 1-entries in H. 

It is now apparent that we cannot just search for a 1-entry and then keep 
looking for another 1 in the same row: if we stumbled across the only 1 in that 
row, we will never finish. Consider instead the following algorithm Alg : 

1. Probe random entries in H until a 1 is found. 

2. Then start the following two processes in parallel, and stop when either one 
stops: 

Pri. Probe random entries in the row in which we found a 1 before, until 
another 1-entry is found. 

Pr 2 • Repeatedly flip a coin that comes out heads with probability e/w, for 
some constant integer w (we show how to choose w later), until you get 
heads. This can be done by probing a random entry in H and choosing 
a random number among 1,2,...,® - you output heads if the entry was 
a 1 and the number was 1. 

This algorithm runs in expected time at most w/e, recall that we count access 
to P* as one step. Define a row to be heavy if it contains a fraction of at least 
e/2 l’s. By a simple counting argument, you can see that at least half of the l’s 
are located in heavy rows. Given that Pr\ runs in a heavy row, the probability 
that a probe will succeed is at least c ' e '^~ 1 so the expected number of probes 
it makes is T(e) = C/(Ce/ 2 — 1). If e > 4/C, then T(e) < 2/e. Moreover, the 
probability that Pr\ runs for more time than 2 T(e) is at most 1/2. Assume we 
choose w large enough, so that Pr2 finishes later than 2 T(e) with probability 
of at least 1/2. It is straightforward to see that w = 7 is sufficient. Then, given 
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that the row we use is heavy, we have probability of at least 1/4 of success, and 
hence overall probability 1/8. 

Therefore, our Rewind procedure simply repeats Alg until there is success, 
the expected number of times it will have to do so is 8, and hence the expected 
total time is 56/e. 

B Further Extensions 

There are many possible variants or extensions with some differences: For ex- 
ample, when To < |a;| is public, we can reduce the computational amount for 
the protocol by using T — To instead of T. In the rest of this section, we briefly 
mention to extensions, though not many due to the space limitation, to non- 
Abelian groups and verifiable encryptions, where we think the latter might not 
be so trivial. 

For non-Abelian group G, we can get a similar result if the assumptions are 
modified as follows: (1) there is a element h in G such that its order is (7-rough 
whereas la = [G : (h)} is (7-smooth, and (2) given descr(G) and random Y G G, it 
is difficult to find e > 1, X e G such that Y = p 1 X e p 2 and /, 4° = p l 2 = !• Define 
commitpfc(s, r) = g s h r for g G (h), but allow the committer to send (s', r') when 
opening commitment c so long as (g s h r /c) la = 1. The proofs above similarly 
goes through considering Zc-th power of any element in G belongs to (h). 

To make verifiable encryption, we use the Okamoto-Uchiyama encryption H9- 
Suppose that p, q are primes such that (p — l)/2, ( q — l)/2 are (7-rough. Define 
QR(A-) = {x £ Z\3 y eZ s.t. y 2 = x (mod X)}. Let H = QR(n) C G = 
QR(<?) C (Z/nZ) x where n = p 2 q. Since (^) = (|) 2 (|), one can efficiently check 
that x belongs to G by computing the Jacobian symbols over n. Then g, h are 
chosen as follows: Pick up at random ho £ H such that p|ord(/i). Set g = Zig 
and h = ho- We have lc = 4. The commitment c = g x h r (0 < x < p) is not 
statistical hiding but one can still think of it as computational hiding (so long as 
the OU encryption is semantically secure). The associated protocols above can 
be applied to this new commitment without any modification, which makes this 
verifiable. Actually in this case, the verifier can be convinced that the commit- 
ter can only open commitments that belong to H (because if the committer can 
show any non- trivial p such that p 4 = 1, he can factor n). 

An application of this verifiable encryption appears in |1 .1) . A “light” version 
of this verifiable encryption, using c = g s mod n, appears in (Q. 
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Abstract. In this paper we propose an efficient OTj‘ v scheme in the 
bounded storage model, which is provably secure without complexity as- 
sumptions. Under the assumption that a public random string of M bits 
is broadcasted, the protocol is secure against any computationally un- 
bounded dishonest receiver who can store tM bits, r < 1. The protocol 
requires the sender and the receiver to store N ■ 0(VkM) bits, where 
A; is a security parameter. When N = 2, our protocol is similar to that 
of Ding m but has more efficient round and communication complex- 
ities. Moreover, in case of N > 2, if the sender and receiver can store 
N ■ 0{s/kM ) bits, we are able to construct a protocol for OT f 1 which has 
almost the same complexity as in OTf scheme. Ding’s protocol was con- 
structed by using the interactive hashing protocol which is introduced 
by Noar, Ostrovsky, Venkatesan and Yung m with very large round- 
complexity. We propose an efficiently extended interactive hashing and 
analyze its security. This protocol answers partially an open problem 
raised in [H3 • 

1 Introduction 

Consider two parties of the sender Alice and the receiver Bob. Alice has N secret 
bits Xq, Xi, ■ ■ ■ , Ajv-i G GF{ 2), and Bob has a secret value c G {0, 1, • ■ ■ , N— 1}. 
Alice sends X 0 , Xi, ■ ■ ■ , X N _- { in such a way that Bob receives X c , but does not 
learn any information about other secrets A,;, i ^ c, and Alice learns nothing 
about c. An 1-out-of-V Oblivious Transfer (OT^) is a cryptographic two-party 
protocol that provides a solution for the goal. 

OTl was suggested by Even, Goldreich, and Lempel PU,as a generalization 
of Rabin’s Oblivious Transfer (OT) (IE), and Crepeau [Sj proved that OT and 
OT] are equivalent. OT was introduced by Brassard, Crepeau, and Robert j2J 
under the name ANDOS (all or nothing disclosure of secrets). Oblivious transfer 
can be used to construct cryptographic protocols, such as bit commitment, zero- 
knowledge proof, and generally secure multi-party computation |l3l2lT2|7|l4j . 

Traditionally, oblivious transfer has been constructed under complexity as- 
sumptions, such as the hardness of factoring or discrete log, or the existence of 
trapdoor one-way permutations. However, they do not guarantee information- 
theoretic security, and the security of the protocol could be subverted later, 
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when enabled by breakthroughs in computing technology and algorithms. For 
example, protocols based on the hardness of factoring or computing discrete 
logarithms will become insecure if quantum computers become available CHI 
Alternatives to computational security assumptions that have been proposed in- 
clude quantum cryptography, the noisy channel model, and the bounded-storage 
model 1118131 . 

Cachin, Crepeau, and Marcil g] proposed the first protocol for OT 2 in the 
bounded-storage model that is unconditionally secure, without any complex- 
ity assumption. Under the assumption that a public random string of M bits 
is broadcasted, the CCM protocol P) guarantees provable security against any 
computationally unbounded dishonest receiver who can store tM bits, r < 1. 
Furthermore, the security against a dishonest receiver is preserved regardless 
of future increases in storage capacity. The case where the storage bound is 
placed on the sender is equivalent by the reversibility of OT |3|. Protocols in 
the bounded-storage model make use of a very large amount of auxiliary infor- 
mation, called public random string mi, in order to defeat the adversary. The 
public random string could be a random bit sequence broadcasted by a satellite 
or transmitted between the legitimate parties, or the signal of a deep-space ra- 
dio source. Recently, Ding [HI proposed a similar but more efficient protocol for 
OT f in the bounded-storage model than the CCM protocol. Ding’s protoc ol re - 
duced the storage requirement from 0(M 2 / 3 ) in the CCM protocol, to O(VkM) 
where k is a security parameter and proved that any dishonest receiver who 
stores O(M) bits succeeded with probability at most 2~°^ k \ rather than inverse 
polynomially small. 

In this paper, we propose a provably secure and efficient protocol for OT± 
with a storage-bounded receiver, without any complexity assumption. Our pro- 
tocol uses N public random strings of M bits and requires the sender and the 
receiver to store N ■ 0(y kM ) bits, where k is a security parameter. When N = 2, 
our protocol is similar to that of Ding’s protocol but has more efficient round and 
communication complexities. Moreover, in case of N > 2, if the sender and the 
receiver can store N-0(VkM) bits, we are able to construct a protocol for OTf 
which has almost the same complexity as in OT 2 scheme. This is constructed 
based on an extended interactive hashing scheme. 

Noar, Ostrovsky, Venkatesan and Yung uni introduced the interactive hash- 
ing protocol, and Cachin, Crepeau, and Marcil 0 gave a new elegant analysis 
on it. Interactive hashing is a protocol between a challenger Alice with no in- 
put and a responder Bob with input string y and provides a way to isolate two 
strings. One of the strings is Bob’s input y ail( i the other is chosen randomly, 
without influence from Bob. However, Alice does not learn that which one is y. 
Up to the present, the interactive hashing has been based on NOYY protocol 
m which has very large round and communication complexities. The round 
and communication complexities of NOVY protocol, which has the string of t 
bits to be transmitted, are t— 1 rounds and t 2 — 1 bits respectively. Thus Ding’s 
protocol for OT 2 which is based on NOVY protocol has very large round and 
communication complexities. 
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We propose more efficiently extended interactive hashing scheme than the 
NOVY protocol. We can accomplish the interactive hashing with t / m — 1 rounds 
and t 2 /m — m bits of communication complexity, when to is a divisor of t, and 
provide a way to isolate more than two strings. As a concrete example of what 
is claimed in this paper (Section 4), assume that the length of a public random 
string is one Petabit, (i.e. M = 10 15 ), and 1000 < k < 10000 for a security 
parameter k, then we can choose k easily such that the protocol has f 3 / 2 — t 1 / 2 - 
bit communication complexity which is much lower than that of NOVY protocol. 
This result answers partially an open problem raised in PH- 

This paper is organized as follows. In Section 2, we construct a new universal 
hash family. Using this, we propose an extended interactive hashing protocol. 
The protocol for OTf 1 in the bounded-storage model is presented in Section 3. 
In Section 4, we discuss the complexity of our protocol. 


2 Extended Interactive Hashing 

In this section we propose an efficiently extended interactive hashing protocol 
and give an analysis on it. In order to construct this, we first introduce a new 
universal hash family. 


2.1 Universal Hash Family 

The technique of universal hashing was introduced in 1979 by Carter and Weg- 
man |S| and is used in many areas of computer science and cryptography PI20| . 

Definition 1. Let F be the set of all functions from X to Y and let H-hash 
family be a subset of [H\ functions in T ■ H-hash family is called universal if, for 
any distinct elements xi,X 2 G X, there exist at most |7f|/|Y| functions h G H 
such that h(xi) = hfx-f)- 

Let t and to be positive integers such that to is a divisor of t. We now define a 
universal hash family from GF{ 2) 4 to GF(2) m . Let f(x) be an irreducible poly- 
nomial of degree to over GF( 2). Then GF(2 rn ) = GF(2)\x)/ ( f(x )) is represented 
as IX/Hq 1 a i x '' '■ a i e GF{ 2)}. Define the bijective function (p : GF{2) rn — t 

GF( 2 m ) by (a m -i, ■ ■ ■ , a\, ao) t-t a m -ix rn ~ 1 -| 1- aix + ao- Let t = Im. Then 

GF(2Y = (GF(2) m ) 1 = ,A u Aq) : Ai e GF( 2) m ,0 < i < l - 1}. 

We regard GF(2)‘ as (GF(2) m ) 1 and let S = (GF(2) m ) 1 . In order to define a 
universal hash family from S to GF(2) rn , for any f = (0-i, • • • , Ci> Co) € S, we 
define the hash function using the above function (p as follows ; 

h c : S — ► GF{ 2) m 


(Ai- 1, • • • , Ai, Ao) 


(1) 
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Consider the set H of hash functions from S to GF(2) rn as follows ; 

n = {h c : c = (0-1,- •• ,Ci,Co)eS}, 

where h f is defined in (1). 

Lemma 1. % is a universal hash family. 

Proof. For any two distinct elements x = (xi- 1, • • • , xo ),y = (yi~i,- ■ ■ ,yo) & S, 
we need to count the number of ( = (Cj_i,--- , Co) € S with h^(x) = h^(y). 
Since x ^ y, there is an index io £ {0, • • • ,1 — 1} such that Xi 0 ^ yi 0 £ GF(2) m . 
Then for any ( £ S 

h c (x) = h ( (y) & <HCi 0 )(<?%o) - + E ^(C*)(0(2/») - 4>{xi)) = 0 

ifr o 

- *(*„)) = E ^(C i)(<KVi) - #*.)) G GF(2 m ) 

i^i 0 

0(Ci o ) = E ^(C i)(<t>(yi) ~ H x i)) • (Hvio) ~ #Sio)) _1 - ( 2 ) 

*#* 0 

Since <p is bijective, for each choice of C»’s for i ^ i 0 , equation (2) has exactly 
one solution in Q 0 . Since the number of f s for i ^ io is l — 1 and Ci £ GF(2) rn for 
each i, there are exactly = \H\/2 m functions h^ £ H with h^(x) = h^(y). 

Thus, H is a universal hash family. □ 

The universal hash family H defined above has the following properties. 

Lemma 2. Let % be the hash family defined above. For any two nonzero distinct 
elements x, y £ S and for any b £ GF( 2) m , let Tb = {h £% : h(x) = b, h(y) = 
b}. Then \T b \ = |H|/2 2m . 

Proof. For any two nonzero elements x = (xj_ i, • • • , £o), y = (yi- 1, • • • , yo) S S, 
let x ^ y. Note that T b = {<} £ S : h^(x) = b, h^(y) = b} by definition. 
Since x ^ y, there are two distinct indices j, k £ {0, ■■■,?— 1} such that 
Xj ^0,y k ^0£ GF( 2) m . Then for any C = (0-1, • Co) € 5 

h ( (x) =b& <t>(xj)<j>{Cj) + E^O^C*) = <t>(b) 

& <t>{Q = (E^MCO + <M 6 )) • 

h c ( y ) = bo 4>{ Ck) = (E Ci) + ■ (fiykY 1 - 

ijtk 

Hence by similar method in Lemma 1, |T{,| = 2 m ^ -2 ^ = |7f |/2 2 " 1 . □ 

Lemma 3. Let LL be the hash family defined above. Then for any nonzero ele- 
ment s £ S and for any b £ GF( 2) m , \{h £^1 : h(s) = 6} | = \'H\/2 m . 


Proof, clear. 
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2.2 Interactive Hashing 

Interactive hashing is a two-party protocol between a challenger Alice and a 
responder Bob. Cachin, Crepeau, and Marcil 0 gave a new elegant analysis on 
it in order to be used to construct OT in the bounded-storage model. Bob has a 
secret t- bit string y G T C GF(2) t , where \T\ < 2 t ~ k and y and T are unknown 
to Alice. At the end of the protocol, Alice receives two strings, one of which is y, 
but Alice does not know which one is y. Also, Bob cannot force both two strings 
to be in T, except with a small probability v{k). 

The following interactive hashing protocol is proposed in Noar, Ostrovsky, 
Venkatesan and Yung EL : Alice randomly chooses t — 1 linearly independent 
vectors oi, • • • ,a t ~i £ GF(2) t . The protocol then proceeds in t — 1 rounds. In 
Round i, for each i = 1, • • • , t — 1, 

1. Alice announces a* to Bob. 

2. Bob computes bi = a* • y and sends 6, to Alice. 

At the end, both Alice and Bob have the same system of linear equations 
h = di ■ X, i = 1, • • • , t — 1 over GF( 2). Since ai, ■ ■ ■ , a t - 1 £ GF(2) 4 are linearly 
independent, the system has exactly two t-bit strings yi, \2 as solutions and one 
of them is y by standard linear algebra. Thus Alice does not know information- 
theoretically that which solution is y. Also, the condition that Bob cannot force 
both two strings to be in T, except with a small probability v{k), was proved in 
0 . 

Since the round and communication complexities of NOVY protocol, which 
transmits the string of t bits, are t — 1 rounds and t 2 — 1 bits respectively, the pro- 
tocol which is based on NOVY protocol has very large round and communication 
complexities. 

2.3 Extended Interactive Hashing Protocol 

We propose a new scheme between a challenger Alice with no input and a re- 
sponder Bob with input string y which provides a way to isolate more than two 
strings. Bob has a secret t-bit string y e T c GF(2)‘, where |T| < 2 t ~ k and y 
and T are unknown to Alice. For some positive integers l and m, let t = Im. The 
protocol should meet the following requirements: 

1. Bob sends a secret t-bit string in such a way that Alice receives 2 m t-bit 
strings and one of them is y, but Alice does not know that which one is y. 

2. Bob cannot force any two of them to be in T, except with a small probability 
v(k). 

We regard GF(2)* as (GF( 2) m ) 1 and let S = (GF(2) m ) 1 . Bob chooses a 
secret t-bit string y = (y;_i, • • • , yi, yo) £ S, where x% € GF{ 2) m , 0 < i < l — 1. 
Now we consider the universal family H of hash functions from S to GF{2)' m 
which is defined in Section 2.1 as 

n = {h c : C= (0-i,- •• , Ci, Co) e S}, 

where h ^ is defined in (1). 
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Our scheme is described below. 


Protocol : The protocol operates in t/m — 1 rounds. In Round i, for i = 
1, • • • ,t/m — 1, 


1. Alice chooses a function hi G hi with uniform distribution. Let a, G GF(2) t 
be the description vector of hi such that hi = h (li . If a* is linearly dependent 
in ai,--- , dj_i, then Alice repeats this step until it is independent. Alice 
sends a-i to Bob. 

2. Let a< = (af /m_1) , ■ • • ,4 1) ,a\ 0) ) G S, G GF( 2) m , 0 < j < t/m - 1. 

Bob computes m-bit bi = h ai (\) = 4> _1 o _1 and sends 

bi to Alice. 


After the t/m — 1 rounds, both Alice and Bob have the same t/m — 1 linear 
equations over GF{ 2) m with y as a solution. The system has exactly 2 m t- 
bit strings xo, ■ • • ,X 2 m -i as solutions, one of which is x- We call this scheme 
extended interactive hashing. We note that in case of m= 1, our protocol is the 
same as interactive hashing. 

It is clear that Alice does not know information-theoretically that which 
solution is x ■ Thus Condition 1 of extended interactive hashing is satisfied. We 
now come to Condition 2 regarding the security against a dishonest responder 
Bob. In our protocol, Bob can cheat if he can answer Alice’s queries in such a 
way that T contains two distinct elements si, S 2 received by Alice. In Theorem 
1, we show that Bob can only cheat in extended interactive hashing if the size 
of \T\ is close to |GF(2)* = 2*. In order to prove this, we need some lemmas. 

The following lemma shows that each round of scheme reduces the size of 
T by a factor of almost 2 m with very high probability. This approach was used 
first to prove the security of interactive hashing in g]. We improve this method 
in our model. 

Lemma 4. Let T c &F(2)* be any subset with |T| = 2 ai for 0 < a < 1 and 
let p be a positive integer such that p < at/3. Let m be a positive integer which 
is a divisor of t. Let LL be the universal family of hash functions from GF(2)* 
to GF(2) m defined above. Let U be a random variable with uniform distribution 
over hi. Then for any b G GF(2) rn , 

Pt[|{»6T: t7W = 6}|<(T + 5s L ?5+ A ; )|r|] > l- 2 -». 

Proof. For any s G T and b G GF(2) rn , we consider the following random 
variables 

= fl if U{s) = b 
(h ’ s ' > 1 0 otherwise 

and their sum X b = Y1 s et X(b,s) = | {s G T : U(s) = 6}|. Thus we must show 
that for any b G GF(2) m , 

+ ( 3 ) 
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Case 1 : 06 GF( 2) m . 

By the definition X (b, s ) and Lemma 3, we obtain that for any s^OgT 

pr y r pr \r2 r , \{h £ H : h(s) = b}\ 

E l X (b,s)\ = E l X (b,s)\ = 1 j^j 


and X((, j0 ) = X'f h =0 by the definition of our hash family. Thus E[X b \ = - 
By the definition of X b , we obtain that 

E[Xl } = E[Y, ^( 6 , 4 + 2 Y, x (b, Si )X(b, Sj )l 

set si<sjeT 

Since 6^0, X(j )0 ) = 0. Using this fact and Lemma 2 we obtain that 

E i E x ( h « 4 x o ^ = E E i x (. b , Si ) x ( b , S:i )\ 

SiKSjET 0 <Si<Sj£T 

{hGU: h(si) = h(8j) = b} 

\n\ 


= E 

0 < Sj < Sj-£T 

(m-i ) 2 


< 


i , 


Thus, we have E[X b ] < 1 + and 

Var[X b } = E[Xl ) - ( E[X h ]) 2 

^ |r|-i 


Now, by Chebychev Inequality we obtain that for any b ^ 0 £ GF( 2) m and 
6 >0 


\T\~ 1 
2 m 


pr yx 6 - 

Substituting <5 = | — we have 

m-i | 


>2- 


. m-i 


< 2 _i 


P T 4 ' - , 

Hence, if p < at/3, then with probability at least 1 — 2~ p , we obtain 
X b < (E +St a ^ m - C A |T| 


' 1 


1 \ 

^ 2P+»/2 J 


and (3) is satisfied. 
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Case 2 : b = 0 e GF{ 2) m . 

Using Y( 0 ,o) = 1, Lemma 2 and Lemma 3, we obtain that E[X 0 ] = + 1 

and £7[Xg] < + 1 + . Thus Var[X 0 ] < By Chebychev 

Inequality we obtain that for any 5 > 0 


Pr 


I M 


m-i 


m-i 

2 ™ 6 2 ' 


Substituting 5 = \f2P{\T\ — 1 )/2’ m , we have that with probability at least 1—2 p , 


using p < at/3, and the lemma is proved. 


□ 


The following lemma was proved in ED 

Lemma 5. 0 Let T c GF{2) 1 be any subset with |T| = 2 at for 0 < a < 1. Let 
p and q be positive integers such that 2 at < mq — p and p, mq < t where m is 
a divisor of t. Let H be the universal family of hash functions from GF{ 2)* to 
GF( 2) mq . Let U be a random variable with uniform distribution over LI. Then 
for any distinct si,S 2 € T, we have 

Pr[C7( Sl ) = U{s 2 )} < 2 -p. 


Lemma 6. Suppose that Alice and Bob engage in extended interactive hashing 
of a t-bit string as described above. Let T c GF(2) t be any subset with |T| = 2 at 
for 0 < a < 1 and let r be a positive integer such that log 2 1 <r < at/6. Let m 
be a positive integer which is a divisor of t and m < 2r. If a < 1 — 8r + 2 ™+ 2 } 
then with probability at most rr / 2r , Bob can answer Alice’s queries in such a way 
that Bob’s answers are consistent for two distinct elements si,s 2 G T. 


Proof. For i = 1 . ■ ■ ■ , t/m—1 , let Tj C T be the subset of T satisfying hj(s) = bj, 
for j = 1 , • • • . i, after Round i of the extended interactive hashing protocol. Let 
p = 2 r. Then using r < at/6 and a < 1 — 8r+2 t m+2 , we obtain that at > 3 p and 
a * m 3p + 1 < T _ i. Thus there exists a positive integer ij such that 


(4) 


Applying Lemma 4 by induction on i from 1 to ij — 1, we get 


m\< 


2i'- 


m, 


except with probability at most i ■ 2 p . Thus, we obtain that 

log 2 | T i:i | < (at - mij) + ij log 2 (l + 2 m ^ 2 ~ p + 2 _3p+m ) < 3p + 1 (5) 

by (4) and ij log 2 (l + 2 m ^- p + 2~ 3p+m ) < t/m ■ ( 2 m / 2 ~ p + 2~ 3p+m ) < 1. 


Efficient Oblivious Transfer in the Bounded-Storage Model 151 

Now we want to apply Lemma 5 for step ij (round ij through t/m — 1 
collectively) using T* . Since a < 1 — 4 ?'+ 1 2 ™+ 2 ; 4 p < t — erf — 2m — 2 and 

2 log 2 IT^. | < 6p + 2 < 2p + t — at — 2m by (5). Using (4) we get 

2 p+t — at— 2m = t — m (^~~~ + 2^ — P < t + m(—ij Hi)— p 

and 21og 2 | T ij \ < m(t/m — 1 — ij) — P holds. Hence we can apply Lemma 5 and 
the overall failure probability is at most (ij + l)2~ p < t/m ■ 2~ p < which 
proves the lemma. □ 

The following theorem shows that Condition 2 of extended interactive hash- 
ing is satisfied. 

Theorem 1. Suppose that Alice and Bob engage in extended interactive hashing 
of a t-bit string as defined above. For positive integers l and m, let t = Im. Let 
T c GF(2y be any subset with \T\ < 2 t ~ k where k satisfies log 2 1 < k < 2t/3. If 
m < then with probability at most — , Bob can answer Alice’s queries in 
such a way that Bob’s answers are consistent for two distinct elements si, S2 € T. 

Proof. For any positive integer r which satisfies log 2 1 < r < (t — 2) / 18, let 
k = 12 r + 2. Then we get r < and m < 2 r. Thus the theorem follows from 
Lemma 6. □ 

Corollary 1. Suppose that Alice and Bob engage in extended interactive hashing 
of a t-bit string as defined above. For positive integers l and m, let t = Im, m <t. 
Let T 0 ,Ti c GF(2y be any two subsets with | To | , | | < 2 t ~ k where k satisfies 
log 2 1 < k < 2t/3. If m < then the probability that Bob can answer Alice’s 
queries such that two distinct elements, which one lies in To and the other one 
lies in T\, are consistent with his answers is at most — . 

3 1-out of-N Oblivious Transfer Protocol 

In this section we describe an efficient protocol for OT^ in the bounded-storage 
model. Throughout the paper, let k be a security parameter and M be the length 
of a public random string, and let L = tM, t < 1, be the storage bound on the 
reciever Bob. For simplicity, we only consider L = M/6(i.e. r = 1/6). For any 
t < 1 we can obtain similar results. 

An OT scheme is a two-party protocol between the sender Alice who pos- 
sesses N secret bits Xq, ■ ■ ■ ,Xn-i € GF( 2) and the reciver Bob who would 
like to learn one of them at his choice. We assume that Alice is honest, that is, 
it won’t send secrets that are not claimed. An OTf scheme should satisfy the 
following requirements: 

1. Correctness: if Alice and Bob follow the protocol, Bob obtains X c after 

executing the protocol, where c e {0, • • • ,1V — l}isa secret value of his 
choice. 
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2. Bob’s privacy: after executing the protocol with Bob, Alice shall not get any 
information about Bob’s secret value c. 

3. Alice’s privacy: after executing the protocol with Alice, Bob does not learn 
any information about other secrets Xj , i 7^ c or their combination except 
with a negligible probability v(k). 

3.1 Basis Ideas 

In this subsection we explain the basic ideas of our protocol for OT ™ . Let n = 

2 VkM. 

First, Alice and Bob choose independent random subsets A, B C {1, • • • , M} 
with \A\ = \B\ = n, respectively. If public random string a < — GF(2) M is 
broadcasted, Alice stores a[i] , Vi e A and Bob stores a[j].Vj £ B, where a [i] 
is the i-th bit of a. Then Alice sends her subset A to Bob, and Bob computes 
AC\B. Following lemma shows that | A fl B\ > k with very high probability. 
Lemma 7. [TO] Let A, B be two independent random subset of {1, • • • , M} with 
\A\ = \B\ = 2 VkM. Then Pr[ \AnB\ < k ] < e“ fe / 4 . 

Fact 1. (Encoding fc-Element Subsets) j3j. Each of the (^) k-element sub- 
sets of (1, • • • , n} can be uniquely encoded as a [log 2 (^)] -bit string. 

Next, Bob encodes a random k-element subset Ai C A fl B as a [~log 2 (£)]- 
bit string and sends Ai to Alice by the extended interactive hashing protocol 
defined in Section 2.3. After executing the extended interactive hashing protocol 
between Alice and Bob, they can construct one “good” set and N — 1 “bad” sets. 
Bob knows the “good” set, but does not learn any information about the “bad” 
sets. Alice knows all of the sets, but does not distinguish between the “good” 
set and the “bad” sets. 

Next, Bob asks Alice to encrypt X c with the “good” set and other secrets 
Xi,i 7^ c with the bad sets. Since Bob knows the “good” set, not the “bad” sets, 
he can recover X c , but not 7^ c. 

3.2 Protocol for OT '™ 

We propose the OT™ protocol for a receiver with bounded memory size. The pro- 
tocol uses N public random string ao, ■ ■ ■ , ccjv-i < — GF( 2) M . Let n = 2 VkM 
and let t = [log 2 (£)]. For some positive integers l and m, suppose t = Im and 
m < (k — 2)/6. 

Protocol (OT™): A sender Alice has N input bits Xq, ■ ■ ■ , X,v-i when N = 
2“, 1 < u < m. A receiver Bob chooses c £ (0, ■ ■ • ,N— 1} and want to know X c . 

1. Alice randomly chooses N sets A(°^={a^, •• • , c4°^}, ■■■ ,A ( ' N ~ 1 ^={a^ f ^ 1 \ 
■■■ ,ai^ 1 \} C {!,*■■ ,M} with length n. Bob randomly chooses N sets 
B( 0) = {6^ 0) ,--- ,fok 0) },---, ,^ JV “ 1) } C {1 ,M} 

with length n. 
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2. If the first public random string a o GF(2) M is broadcasted, Alice stores 

a o[ a i°^]) • • • • ao[an°)] and Bob stores cko [^i 0 '*] , • ■ • , ao[6n°^]- After a short time, 
if the second public random string ol\ GF( 2) M is broadcasted, Al- 

ice stores ai[a^],--- , ai.[a£^] and Bob stores n i , - • • , ai[6^]. After 
iterative procedures, if ajv-i GF{2) M is broadcasted, Alice stores the 

• • • , and Bob also stores the ajv-it&i^ -1 ^]) • • • , 

3. Alice sends • • • , to Bob. Bob randomly chooses e {0, • • • , 

N — 1}, and computes A ^ fl If | A ^ fl B ^ \ < k , then he aborts the 

protocol. Otherwise, Bob chooses a set I = {ii, • • • ,ik} such that ] = 
{a£°, ,a\ s k ) } C#nB( E l 

4. Bob encodes I as a f-bit string, where t = flog 2 (£)]. Bob sends I to Alice 
with the extended interactive hashing protocol in t/m — 1 rounds. After 
executing the extended interactive hashing, both Alice and Bob have exactly 
2 m f-bit strings, one of which is I. Bob chooses N subsets Iq < ■ ■ ■ < Tv- i 
such that I = Is for some 8 G {0, ■ ■ ■ , N — 1} and such that N strings that 
encode Jo, • • • ,In - i are among the 2” 1 possible strings from the extended 
interactive hashing protocol, and sends them to Alice. 

5. Alice checks whether N fc-subsets Iq < ■■■ < 7jv-i C { 1. • • • , n} received 
in Step 4 are contained in all of 2 m fc-subsets, computed by the extended 
interactive hashing protocol. If any one of N fc-subsets isn’t contained in 2 m 
fc-subsets, she aborts the protocol. For some 8 £ {0, • • • , N— 1}, I = 1$. Bob 
knows 8, but Alice does not know 8 . 

6. Bob sends u bits 7 = 8 ® e and p = c ® e to Alice, where for any x, y £ 
{0, • • • , IV— 1}, x®y is defined as follows: x®y = (xo®t/o> ■ ■ • , x„_i®y u _i) £ 
GF( 2) u where x = (x 0 ,- ■■ ,x„_i ),y= (2/0, - - - ,y u - 1) £ GF(2) U . 

7. Alice sets Y 0 = ©) = i «o[o^], ■ ■ ■ , Y N - 1 = ©* =1 where 

Ii[j] denote the j-tli element of fc-subset for l = (),■■■, N - 1 . Then 
Alice computes Zq = A 0 © Y p , ■ ■ ■ , Zn-i = -Xjv_i © Y p 0 jy-i , and sends 
Zq, • • • , Zn-i to Bob. 

8. Bob gets X c = Z c © Y e . 

Remark 1. Alice and Bob store N ■ n = 2 NVkM bits in Step 2. Alice and Bob 
also store t 2 /m bits in the extended interactive hashing of the Step 4. Here 
t = [log 2 (fc)l< k ■ (log 2 n — log 2 fc/e). Because fc <C M, they need to store 
0(n)/m bits. Thus, in order to implement the protocol, Alice and Bob should 
store N ■ n + 0(ri)/m bits. 

Remark 2. The probability that an honest receiver Bob aborts in Step 3 of the 
protocol, is not more than e -fe / 4 by Lemma 6. 

Correctness: Since Y e = 0* =1 = ©jLi Q e[°/[)]]> Bob can know Y s . 
Thus, he can compute X c = Z c © Y p(bc = Z c © Y e . 
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Bob ’s Privacy: Because Alice does not know e defined in Step 3 and S defined in 
Step 5, She gains no information about the Bob’s secret c with 7 and p received 
from Step 6. 

Alice’s Privacy: In order to prove the security against a dishonest receiver Bob, 
who can store L = M / 6 bits, we apply the method of proof in the Ding’s 
model (T3- If ao is broadcasted in Step 2, Bob computes an arbitrary func- 
tion 770 = Ao(r]o), I r/o | = M/6 using unlimited computing power. And if on is 
broadcasted, Bob computes an arbitrary function r]i = A\ (r/o, ai), |r7i | = M/6. 
After iterative procedures, if ajv-i is broadcasted, Bob computes an arbitrary 
function ?7 jv-i = A N -i(r]N- 2 ,a‘N-i), |?7jv— 1 1 = M/6. In Step 3 - Step 6, us- 
ing , A/ jV ~b anc i t] N _i, Bob uses an arbitrary strategy in interacting 

with Alice. After executing the protocol, Bob tries to gain an information about 
Xi, i ^ c, using the information t]n-i on (ao, • • • , a„_i), Zq, • • • , Zn-i received 
from Alice in Step 7, and all information Q which he gains in Step 3 - Step 6. 

Theorem 2. Consider the OT^ protocol defined above. For any Ao : GF(2') M 
— > GF(2) m / 6 , Ai : GF(2) m / 6 xGF(2 ) m — > GF( 2) M / 6 , • • • , Ajv_i : GF( 2) M / 6 
x GF( 2) m — > GF( 2) m / 6 , for any strategy Bob uses in Step 3 - Step 6 of the 
protocol, with probability at least 1 — 2~°^ — N ■ 2~ 002M , there exist some 
p e {0, 1, • • • , N - 1} such that MX 0 , • • • , X K -i e GF( 2), Vc € {0, • • • , N - 1}, 
Vi e {1, • • ■ ,N— 1} and for any distinguisher V, 

| Pr[ X>(7?jv-i, f2, Y pei © X c , Y p © X c(Bi ) = 1 ] 

- Pr[ V( VN _ u f2, Y m ©1,7,01® X c(Bi ) = 1 ] | < 2 - fc / 3 , (6) 

where r/ 0 = A. 0 (a 0 ), t?i = Ai(r) 0 ,ai), ■■■, r ) N - 1 = Ajv-i(» 7 jv- 2, ctjv-i), & de- 
notes all the information Bob obtains in Step 3 - Step 6, and Yo, ■ • ■ , Yat- 1 are 
defined in Step 7. Thus the view of Bob is essentially the same, even though X c ®i 
is replaced by 1 © X c ®j. Hence Bob gains no information about any non-trivial 
function or relation involving more than two X. L ’s in the protocol. 

A proof of this theorem which guarantees the privacy of Alice is given in the 
appendix. 

4 Complexity 

In the bounded-storage model, complex of OTf 1 mainly depends on the extended 
interactive hashing scheme. Since the complexity of the extended interactive 
hashing scheme for OT ^ is similar to that of OT 2 , we compare the complexity of 
our extended interactive hashing protocol for OT 2 with the complexity of NOVY 
protocol, which is an interactive hashing scheme used in the CCM protocol 
and Ding’s protocol {dj . 

The NOVY protocol, which transmits the string of t-bits, has t — 1 rounds 
complexity and (t — 1) ■ (t + 1) = t 2 — 1 bits of communication complexity. On 
the other hand our extended interactive hashing protocol has t/m — 1 rounds 
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Table 1. M = 10 15 ,n = [2 VkM~\,t = |"log 2 (£)] and m ma x is the largest positive 
integer m, which divides t and rn < (k — 2)/6. 


k 

the number of k such that 

m m ax > Vt 

the number of k such that 

mmax = 1 

1000 - 2000 

218 

101 

2001 - 3000 

329 

100 

3001 - 4000 

353 

92 

4001 - 5000 

389 

95 

5001 - 6000 

403 

90 

6001 - 7000 

414 

77 

7001 - 8000 

440 

75 

8001 - 9000 

426 

93 

9000 - 10000 

445 

65 


complexity and {t/m — 1) • (t+m) = t 2 /m — m bits of communication complexity 
when m divides t. In case of m = 1, we note that our protocol and the NOVY 
protocol are same. If there exists m such that m > 1, our protocol can be 
constructed about m times as efficient as compared with the NOVY protocol. 
As m is large , we see that the complexity of our protocol is more reduced. By 
Theorem 1, m satisfies the following condition ; 1 < m < (k — 2) /6, where k is a 
security parameter. Thus if we choose the largest integer m such that m divides 
t and 1 < m < (k — 2)/6, then we can obtain the integer m which makes our 
protocol most efficient. For example, assume that the length of public random 
string is Petabit (i.e. M = 10 15 ) and 1000 < k < 10000 for a security parameter 
k. Table 1 gives the information for a security parameter k that we can choose 
in our protocol. 

In case m max = 1 in Table 1, our interactive hashing protocol is simply 
equivalent to the NOVY protocol. By Table 1 we have that the number of k 
such that m max = 1 is less than 10% for 1000 < k < 10000. If we choose k 
such that m max > then we can construct protocol which has much lower 
communication complexity of t?! 2 — t 1 / 2 bits than that of the NOVY protocol. 
Such k are more than 20% for 1000 < k < 2000, 30% for 2001 < k < 5000 and 
40% for 5001 < k < 10000. Hence, we can choose k easily such that our extended 
interactive hashing for OT 2 becomes more efficient than the NOVY protocol for 
CCM protocol and Ding’s protocol. 

5 Conclusion 

In this paper we propose the OT protocol as a generalization of the Ding’s 
protocol for OT f in the bounded-storage model. Furthermore, when N = 2, our 
protocol is similar to that of Ding, but is constructed more efficient than that of 
Ding. We used the efficiently extended interactive hashing protocol for the sake 
of reducing a complexity of the protocol. The proposed extended interactive 
hashing protocol which transmits f-bit string has t/m — 1 round complexity and 
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(■ t/m — 1) • (t + to) = t 2 /rn — m bits of communication complexity when to 
divides f, and provides a way to isolate more than two strings. We note that 
a given to in this paper must divide t and satisfy to < (k — 2) / 6. And we 
show that we can choose an integer to such that the protocol has f 3 / 2 — t 1 / 2 
bit communication compexity which is much lower than that of NOVY protocol 
by a concrete example. This fact provides a partial answer for an open problem 
raised in [TU| . Using such extended interactive hashing, we also constructed the 
protocol for OTi having almost the same efficiency as OT 2 scheme. 
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A Proof of Theorem 2 

We extend the proof in Ding [E] to deal with OTf* . We use the same definitions 
and lemmas as given in pT7j . 

Definition 2. Define K. d = {I C {1, • •• ,M} : |/| = k}. 

Definition 3. Let E c GF(2) M and I £ 1C. We say that I is good for E if 

I |{q g E : 0t^[/[i]]=O}l _ \{a€E: ®jU <*[![([] = 1}| I 
\E\ \E\ 


Definition 4. Let E c GF( 2) M . We say that E is fat if \E\ > 2°' 813M . 

Lemma 8 . HU] For any function f : GF(2) M ^-GF(2 ) M / 6 and a GF(2) M , 
Pr [/“'(/(a)) is fat ] > 1 — 2~°' 02M . 


Definition 5. For A C {1, • • • , M}, define /C 4 = f {/ C A : \I\ = k}. 
Definition 6. For A C {1, • • • , M} and E c GF( 2) M , define 
Be = f {I C K-a : I is not good for E}. 

Lemma 9. HD] Let EcGF(2) M be fat. For a uniformly random Ac { 1 , • • • ,M} 
with |A| = n, 

Pr ^\B$\ < \K a \ • 2“ fc/6 = Q • 2- fe / 6 J > 1 - 2- fc / 6 . 


158 Dowon Hong, Ku- Young Chang, and Heuisu Ryu 


Proof of Theorem 2: In order to show the equation (6) of Theorem 2, it suffices 
to show that with probability -N- 2~ 002M , there exists p G {0, 1, • • • , 

N — 1} such that for any i G {1, • • • , N} and for any distinguisher V , 

| Pr[D(r)jy-i, f2, Y pmi , Y p ) = 1] - Pr[2?(w_i, G,Y p(Si ,Y p © 1) = 1]| < 2“ fe / 3 .(7) 

Here rj 0 = A 0 (a 0 ),r ) i = Ai(r? 0 , aq), • • • ,r?jv-i = ojv-i), G denotes 

all the information Bob obtains in Step 3-Step 6, and ho, • • • , hjv-i are defined 
in Step 7 of the protocol. 

Note that as in the proof of Theorem lin EH it suffices to show the equation 
(7) in the case that Bob’s recording functions A 0 , ■ ■ ■ , A N _- { are deterministic. 

We prove a slightly stronger result that the equation (7) hold even if Bob 
stores not only but also ijo, rji, ■ ■ ■ , tjn- i- Let 

E 0 ^ { a G GF( 2) m : A 0 (a) = %}, E x d ^ f {a G GF(2) M : (%,<*) = m }, 

• • • , E n _x = f {a G GF(2) m : Ajv_i(j7jv- 2) a ) = Vn- i}- 

After r]o, ■ ■ ■ ,tin - i are computed in Step 2 of the protocol, Bob can compute 
Eo,--- ,-Ejv-i using unlimited computing power. But given r/o , • • • , all 

Bob knows about («o, • • • • «jv-i) are that it is uniformly random in Eq x 
• • • x En~i- By Lemma 8, for any recording functions Ao, • • • , Ajv_i and for 
a 0 ,--- ,ajv-i AGF(2) M , 

Pr [All of E 0 , ■ ■ ■ , E n _ i are fat ] > 1 - N ■ 2~ omM (8) 

Thus, consider the case that all of Eq, • • • , En-i are fat. 

Let , A (jv-1) be the random subsets of {1, • • • ,M} with |A^| = 

n,Wi G {0, 1, • • • , N — 1}, which Alice chooses in Step 1 of the protocol. By (8) 
and Lemma 9, we have that for any i G {1, • • ■ , IV — 1}, for p G {0, • • • , AT — 1}, 
with probability at least 1 — N ■ 2~ omM - 2~ k / 6+1 , 

i^IiCkQ-^ 6 ' ( 9 ) 

Thus consider the case that B ^ p) , satisfy (9) . 

For each e G {0, • • • ,N— 1}, denote A^ = {a^, • • • ,a[ £ *}. For J = {ji, ■ ■ ■ ,j k } 
C {I,-- - ,n}, denote Aj* 1 = {a^\ • • • , a^j } . By Definition 5, A ^ G 
Define 

F p = { J C {1, • • ■ , n} : \J\=kA Af G B^}; 

F P m = {J C {1, - - - ,n} : |J| = kA A G }. 

Using (9) and |F P | = = |S^ P ®‘ ) |, we have 

|FlM<Q-2- fe/6 


(10) 
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Consider I 0 , ■ ■ ■ , I N _ i defined in Step 5 of the protocol. Let 7 be the first u-bit 
which Bob sends to Alice in Step 6 of the protocol. Then by (8), (9), (10) 
and Corollary 1 on the extended interactive hashing, we have that for any 
strategy Bob uses in Step 3 - Step 6, with probability at least 1 — 2 ~° ^ — 
N . 2 -o. 02M ) j^ p £ FpV j^, 0 . ^ Fp(B .' WL0 G, assume / 70p0i £ F pQi . Let 
Y P = ®* =1 a p[ a< p 9p \j^ Yp®i = ©i=l a P® i \- a< I P ^ 9i \j]^ as defined in Step 7 of the 
protocol. Since / 70p0 i ^ F p0i , by definition ^ B EA ( P m ■ By definition 

3 of goodness, for a p0 * A p0 i, 

|Pr[y p0i = O]-Pr[F p0i = l]|<2- fc / 3 . 

Since (a p ,a p0 j) E p x E pS)i , Y p and Y p ®i are independent. Thus for any 
beGF{ 2), 

| Pr [y p0 i = 0 I Y P = b] - Pr[y p0i = 1 |y P = 6]|< 2- fc / 3 

which proves (7) and the proof is done. 
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Abstract. In this paper we ask the question what happens if we re- 
place all the constants in Rijndael, including the replacement of the ir- 
reducible polynomial, the coefficients of the MixColumn operation, the 
affine transformation in the S box, etc. We show that such replacements 
can create new dual ciphers , which are equivalent to the original in all 
aspects. We present several such dual ciphers of Rijndael, such as the 
square of Rijndael, and dual ciphers with the irreducible polynomial re- 
placed by primitive polynomials. We also describe another family of dual 
ciphers consisting of the logarithms of Rijndael. We then discuss self-dual 
ciphers, and extend our results to other ciphers. 


1 Introduction 

Recently, the cipher Rijndael [8] was selected as the Advanced Encryption Stan- 
dard (AES) [17]. This cipher operates over the algebraic Galois field GF{ 2 8 ). The 
motivation for this is computational efficiency, as GF( 2 8 ) elements can be rep- 
resented by bytes, which can be very efficiently processed by modern computers, 
unlike bit-level operations that are usually more expensive in computer power. 
The drawback is that the algebraic structure inherited by the GF( 2 s ) operations 
may be susceptible to algebraic relations, such as the relations in [9,19]. Alge- 
braic structures may be used to develop cryptographic attacks that exploit the 
algebraic weakness of the cipher. An example for such attacks are interpolation 
attacks [11]. In attempt to avoid some of these difficulties, other mechanisms are 
introduced to these ciphers, such as bit level affine transformations. 

In this paper we ask the question what happens if we replace all the constants 
in Rijndael, including the replacement of the irreducible polynomial, the coeffi- 
cients of the MixColumn operation, the affine transformation in the S box, etc. 
We show that such replacements can create new dual ciphers, which are equiv- 
alent to the original in all aspects. Although their intermediate values during 
encryption are different than Rijndael’s, we can show that they are equivalent to 
Rijndael. Examples of such ciphers include ciphers with a primitive polynomial 
(replacing the irreducible polynomial of Rijndael), the cipher Square of Rijndael 
that encrypts the square of the plaintext under the square of the key to the 
square of the ciphertext, and a cipher with a triangular affine matrix in the S 
box. 

Y. Zheng (Ed.): ASIACRYPT 2002, LNCS 2501, pp. 160-11751 2002. 

© Springer- Verlag Berlin Heidelberg 2002 
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Definition 1. Two ciphers E and E' are called Dual Ciphers, if they are iso- 
morphic, i.e., if there exist invertible transformations /(■), g(-) and h(-) such 
that 

\/P,K f(E K (P)) = E' g{K) (h(P)). 

Trivial dual ciphers are very easy to find for all ciphers. For example, every 
cipher is dual to itself with the identity transformations. Also, for any cipher, the 
addition of non-cryptographic invertible initial and final transformations creates 
a trivial dual cipher. We are not interested in these kinds of dual ciphers. The 
interesting question is whether there exists non-trivial dual ciphers of widely 
used ciphers. 

An extension of dual ciphers, are semi-dual ciphers: 

Definition 2. A cipher E' is called a semi-dual cipher of E, if there exist trans- 
formations /(■), g ( •) and h ( •) such that 

MP,K f(E K (P)) = E' g{K) (h(P)). 

where f,g and h are not necessarily invertible (and even not necessarily length- 
preserving). 

Semi-dual ciphers potentially reduce the plaintext, the ciphertext, and the 
key spaces, and thus may allow to develop efficient attacks on their original 
cipher. 

In this context we would like to mention that interpolation attacks [11] exploit 
the low order of interpolation polynomial of the cipher. However, they do not 
exploit other algebraic properties of the interpolation polynomial, such as these 
used in this paper. 

Definition 3. In this paper we consider ciphers whose all operations are of the 
following types: 

- Operations in GF( 2 8 ): 

1. Addition (i.e., XOR: f(x,y) = x (By). 

2. XOR with a constant (e.g., f(x) = a; ©3 F x ). 

3. Multiplication (f(x,y) = x ■ y). 

4- Multiply by a constant (e.g., f(x) = 03 x • x). 

5. Raise to any power (i.e., f(x) = x c , for any integer c). This includes the 
inverse of x: x~ l . 

6. Any replacement of the order of elements (e.g., taking a vector containing 
the elements [a, b, c, d\, and changing the order to [d, c, a, b]). 

— Non-GF{2 8 ) operations: 

7. Linear transformations L(x) = Ax, for any boolean matrix A. 

8. Any unary operation over elements in GF( 2 8 ). (i.e., a look-up table, 
S(x) = LookU pT able[x] or F(x) : {0, l} 8 — > {0, l} 8 ). 

We call these operations EGF( 2 s ) operations. 
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Please note that this notation implies that in item 7, the variable x, which 
is an element in GF( 2 s ), is converted to a vector of 8 bits (in GF( 2) 8 ) before 
being multiplied by the matrix A. The result is converted back to be an element 
of GF( 2 8 ). A common representation of the vector is as the vector of coefficients 
of the polynomial x. It should be noted that since XOR with a constant is also 
allowed in item 2, any affine transformation is included in the operations we 
consider (i.e., F(x) = Ax® b). 

An example of such a cipher is Rijndael (AES) [8]. Many other ciphers are also 
built from these operations. Some examples of them are: Shark [6], Square [7], 
Scream [10], Crypton [13], E2 [16] (without the initial and final permutations), 
Anubis [2], Khazad [3], and Camellia [1] (with different key scheduling and dif- 
ferent FL). Our results can also be extended to Safer+- 1- [14]. 

In this paper we also deal with the special case of self-duality. That is the 
case where a cipher is a dual of itself. We study this case and show that such 
ciphers can be attacked faster than exhaustive search. It is interesting to mention 
that RSA [18] is an example of a self-dual public key cipher. Let e and n be the 
RSA public key, and let c = p e (mod n) where p is the plaintext and c is the 
ciphertext. Then it follows that RSA is a dual of itself: c 2 = (p 2 ) e (mod n). 

We also discuss the family of Log Dual Ciphers. In a log dual cipher, the log- 
arithm of the plaintext is encrypted by the logarithm of the key to the logarithm 
of the ciphertext. We show that Rijndael has a family of log dual ciphers. 

We indicate a variety of possible applications for dual ciphers, ranging from 
gaining insight for differential [4] and linear [15] cryptanalysis, to speeding up 
encryption, and to protect against power analysis [12] and fault analysis [5]. 

This paper is organized as follows: In section 0 we give a short description of 
Rijndael. Sectional] shows how to define square dual ciphers. Section 0] deals with 
changing the irreducible polynomial. Section 0 shows how to define logarithmic 
dual ciphers. In section 0 we discuss the special case of self-duality and show 
how to mount an attack on self-dual ciphers. Section 0 deals with application to 
other ciphers. Section 0 deals with other applications of dual ciphers. The paper 
is summarized in Section 0 

2 Description of Rijndael 

In this section we give a short description of Rijndael. For a full description of 
Rijndael the reader may consult [8,17]. Rijndael is a block cipher with 128-bit 
blocks, and three key sizes of 128, 192 and 256 bits. The 128-bit blocks are 
viewed as either 16 bytes or as four 32-bit words. The bytes are organized in a 
square form: 


bo 

64 

b 8 

bi2 

bi 

b 5 

bg 

bi3 

62 

bo 

bio 

614 

h 

br 

bn 

615 


where notes the i’th byte of the block. 
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Each column in this representation can be viewed as a 4-byte word. Rijn- 
dael has operations that work on columns, operations that work on rows, and 
operations that work on each byte separately. 

The plaintexts are encrypted through successive operation of a round function 
10 times (or 12 or 14 times for 192-bit and 256-bit keys, respectively). 

A round is composed of 4 consecutive operations: 

1. ByteSub: An S box is applied to each byte of the data (16 times in parallel). 

2. ShiftRow: Changing the order of bytes in the data. 

3. MixColumn: Every 4 consecutive bytes (column) are mixed by a linear op- 
eration. 

4. AddRoundKey: The data is XORed with a 128-bit subkey. 

The S box of Rijndael is taking the multiplicative inverse of the input in 
GF( 2 8 ) (modulo the irreducible polynomial of Rijndael :r 8 + x 4 + x 3 + x + 1 . 
which is denoted in binary notation by ll-B^; for the purpose of inversion the 
inverse of 00 x is defined to be 00.,.) , the output of which is transformed by the 
affine transformation: 



where the aq’s and the y,’s are coefficients of x and y (i.e., the bits of the bytes), 
and xo and yo are the least significant bits. 

The ShiftRow operation is defined as changing the order of bytes in the data. 
When viewing the data in its square form, ShiftRow is: 

— Leaving the first first row unchanged. 

— Shifting the second row by one byte to the left (cyclically). 

— Shifting the third row by two bytes to the left (cyclically). 

— Shifting the fourth row by three bytes to the left (cyclically). 

Taking the square form as the input of the ShiftRow operation, the ShiftRow 
operation has the following effect: 


bo 

&4 

bs 

bi2 

bi 

b 5 

b 9 _ 

bi3 

h. 

be 

bio 

&14 

b 3 

bv 

bn 

&15 


bo 

h_ 

bs 

bi 2 

]n_ 

bo 

bi3 

hy 

bio 

bu 

bo 

be 

&16 

bs 

bi_ 

bu 


The MixColumn operation mixes every 4 consecutive bytes (every column) 
of the data. Therefore, there are 4 mix operations in each round. Let bu b i+ 1, 




164 Elad Barkan and Eli Biham 


bi + 2 , bi + 3 be consecutive bytes of a column. The new state is defined by 


bo 

h 

b 8 

bi2 

bi 

h 

bo 

bu 

b 2 


bio 

bu 

b 3 

67 

bn 

bio 


m 

&4 

6 g 

b'12 

b[ 

65 

bg 

b'13 

v 2 

b'o 

b'io 

b[ 4 

V J 

Vj 

V n 

b k 


where i € {0,4,8, 12}, and all the operations are in GF( 2 8 ): 


/ Vi \ / 02a; 03a; Ola; Ola; \ / bi \ 

b' i+ 1 M 01, 02* 03a, 01a; b i+ 1 

b'i+2 “ 01a; 01a; 02a; 03a; b i+ 2 

\b'i + 3j \ 03a; 01a; 01a; 02a ;/ \ b i+3 ) 


This operation is actually a multiplication of the column by the polynomial 
c(x) = 03 x x 3 + Ola;# 2 + 01a;# + 02a; in GF( 2 8 ) 4 modulo the polynomial # 4 + 1. 

The AddRoundKey simply XORs the 128-bit subkey to the data. The subkey 
is generated by the key expansion. 

The key expansion of Rijndael generates the subkeys from the key using a 
blend of the same operations used in the rest of Rijndael, and using the round 
constants Rcon[i\ = (02a,)* -1 ( i starts at 1). 

The round-function of the first and the last rounds are slightly different than 
in other rounds: In the first round there is an additional AddRoundKey opera- 
tion before the round starts, and in the last round the MixColumn operation is 
eliminated. 

When the key size is 128 bits the round-function is repeated 10 times. The 
number of rounds is higher when longer keys are used: there are 12 rounds when 
the key size is 192 bits, and 14 rounds when the key size is 256 bits. 


3 Square Dual Ciphers 

Given a cipher E that uses only operations of EGF( 2 s ), we define the cipher E 2 
by modifying the constants of E. All the operations that do not involve constants 
remain unchanged. There are only four operations that involve constants: 

1. /(#) = c • #. 

2. /(#) = c© #. 

3. L(x) = Ax, where A is a constant matrix. 

4. S(x) = LookU pT able[x\, where the look-up table is constant. 

In the first two operations we change the constant c in E to be c 2 in E 2 , 
where c 2 is the result of squaring c in GF( 2 8 ). In the affine transformation A is 
replaced by QAQ~ X , where in the case of Rijndael Q and Q -1 are: 
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Q 


( ioooioio\ 
000 0 1 0 1 1 
01000100 
00001111 
00101001 
00000110 
00010100 
\ 00000011 / 


Q- 


( iooioioi\ 
0 1 1 1 000 0 
00011100 
01010010 
01000001 
01010000 
01010100 
\0 1010101 / 


(1) 


From now on we denote QAQ~ l by A 2 , as we will show later that for any x, 
QAQ~ 2 x 2 = QAx = (Ax) 2 . A 2 of Rijndael is given in AppendixEl The matrices 
Q and Q~ 2 depend on the irreducible polynomial of GF( 2 8 ). The matrices above 
suit Rijndael’s irreducible polynomial a; 8 + x A + a; 3 + x + 1. 

Finally, we replace look-up tables of the form S(x) with S' 2 (a;), where S 2 (x) 
is defined as S 2 (x) = QS(Q~ 1 x). 

Remark: To make it clear, in our notation, E 2 is not E(E(-)) nor (E(-)) 2 , 
A 2 is not the matrix A multiplied with itself, and S 2 (x) is not (Six)) 2 , nor 
S(S(x)). 

In general terms, to specify E 2 , we take the specifications of the cipher, raise 
all the constants in the cipher to their second power, replace matrices A by 
A 2 = QAQ -1 and replace look-up tables S(x) by S 2 (x) = QS(Q~ 1 x). If we take 
Rijndael as an example of E, the polynomial 03 x a: 3 + 01 x ie 2 + 01 x x + 02 x of the 
mix column operation is replaced by 05 x x 3 + 01 x x 2 + 01 x x + 04 X J3 As a result 
of the above replacements, the affine transformation Ax + b is replaced by the 
affine transformation A 2 x + b 2 = QAQ~ 2 x + b 2 . 

The key expansion consists of S boxes, XORs, and XORs with constants in 
GF( 2 8 ) (called Rcon ) which are powers of 02 x . These operations are replaced by 
the replacement operations as mentioned above, with the Rcon constants being 
replaced by their squares. 

We will now show that E and E 2 are dual ciphers: 

Theorem 1. For any K and P, E 2 K 2 (P 2 ) = (E K (P)) 2 . 

In the context of this paper, the notation K 2 , and P 2 denote the square 
operation of each byte of K and P (and similarly for any data block). 

This theorem states that if P is the plaintext, K is the key and the result of 
encryption with cipher E is C, then the result of encrypting P 2 under the key 
K 2 with the cipher E 2 is necessarily C 2 . 

Proof. Any Galois field is congruent to a Galois field of the form of GF(q m ), 
where q is a prime. The number q is called the characteristic of the field. It is well 
known that for any a, b e GF(q m ) it follows that: (a + b) q = a q + b q . In GF( 2 s ): 
(i a + b) 2 = a 2 + b 2 . That actually means that squaring an element in GF( 2 8 ) is a 
linear operation, which can be applied by a multiplication by a binary matrix Q 
of size 8x8. We computed the matrix Q of Rijndael, and described it in Eq. ©• 
It follows that Q- 1 is the matrix that takes out the square root of an element 
in GF( 2 8 ). 

1 In GF( 2 8 ), 03 2 =05 x . 
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To complete the proof, it suffices to show that for each operation f(x) in E, 
and the corresponding operation in E 2 , which we denote in this proof by f 2 (x), 
it follows that f 2 (x 2 ) = ( f(x )) 2 : 

1. f(x,y) = x © y. In this case f 2 (x 2 ,y 2 ) = x 2 ® y 2 = {x ® y) 2 = ( f(x,y )) 2 . 

2. f(x) = x © c. By definition f 2 (x 2 ) = x 2 ® c 2 = (x © c) 2 = (/(a:)) 2 . 

3. f(x,y) =x-y.ln this case f 2 (x 2 ,y 2 ) = x 2 ■ y 2 = (x ■ y) 2 = ( f(x,y )) 2 . 

4. f(x) = x ■ c. By definition f 2 (x 2 ) = x 2 ■ c 2 = (x ■ c ) 2 = ( f(x )) 2 . 

5. f(x) = x c . In this case f 2 (x 2 ) = (x 2 ) c = ( x c ) 2 = ( f(x )) 2 . 

6. It is clear that replacing the order of elements after they are raised to their 
second power is equal to raising elements to their second power, and then 
replacing their order. 

7. f(x) = L(x) = Ax. By definition f 2 (x 2 ) = L 2 (x 2 ) = QAQ~ l x 2 = QAx = 
(Ax) 2 = ( f(x )) 2 , as Q is the matrix which corresponds to the squaring 
operation in GF( 2 8 ). 

8. f(x) = S(x) = LookU pTable[x]. By definition 

/V) = S 2 (x 2 ) = QS(Q~ 1 x 2 ) = QS(x) = (S(x)) 2 = (f(x)) 2 . 


The cipher E 4 = (E 2 ) 2 is a dual cipher of E 2 , and thus also of E. Moreover, 
all ciphers E 2 * (for all i), which are E, E 2 , E 4 , E 8 , E 16 , E 32 , E 64 and T 128 , are 
all dual ciphers of each other (there are 8 such ciphers as E 2 = E). 

It is interesting to note that Rijndael have these 7 dual ciphers, indepen- 
dently of the key size, the block size, the number of rounds, and even the order 
of operations in the cipher. These dual ciphers exist for any cipher whose all 
operations are EGF( 2 8 ) operations. 

Note that it is possible to define a trivial square dual cipher for any cipher by 
taking a cipher E and defining E 2 which apply Q -1 on the plaintext and K, calls 
E, and then applies Q on the result. However, we are interested in non-trivial 
dual ciphers with different cores. 

4 Modifying the Polynomial 

An EGF( 2 s ) cipher E can include multiplication modulo an irreducible polyno- 
mial. The irreducible polynomial in Rijndael is used for the inverse computation 
in the S box and also in the multiplications in the MixColumn operation. Several 
researchers asked why the irreducible polynomial of Rijndael was not selected 
to be primitive. There are 30 irreducible polynomials of degree 8, of which 16 
are primitive. In our discussion it is irrelevant if the irreducible polynomial is 
primitive or not, due to the isomorphism of all fields of GF( 2 8 ). The isomor- 
phism transformation that takes one description of a cipher under an irreducible 
polynomial g(x) to another description with a different irreducible polynomial 
g(x) is linear, and therefore can be represented as a binary matrix R such that 
y = R- x, where x is the vector representation of an element under Rijndael’s 
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g(x ) polynomial, and y is the representation under the new polynomial g( x). 
The matrix R is used in a similar way to the matrix Q of the square dual cipher. 
The change of operations in the cipher is also similar to the square dual cipher. 
Note that the x 2 operation there is equivalent to Q ■ x, and the same proof of 
duality follows. 

The R matrix is always of the form R = (1, a, a 2 , a 3 , a 4 , a 5 , a 6 , a 7 ), where the 
a*’s are computed modulo the irreducible polynomial g(x). Note that the matrix 
Q is actually one of these matrices R. For each irreducible polynomial we can 
define its 8 square dual ciphers. Since there are 30 irreducible polynomials, we 
get that there are 240 dual ciphers for each EGF{ 2 s ) cipher. 

For example, we describe one of these 240 dual ciphers of Rijndael: the ir- 
reducible polynomial of Rijndael is replaced by the primitive polynomial x 8 + 
x 4 + x 3 + x 2 + 1 (denoted in binary notation by 11 D x ). In this example, the R 
matrix is 

/I 111111 1\ /I 111111 1\ 

01010101 01010101 

00110011 00110011 

00010001 !_ 00010001 
00001111 H - 00001111 ' 
00000101 00000101 

00000011 00000011 

\00 000 00 1 / \0 00 000 0 1 / 

The inverse matrix R~ x takes an element of the dual cipher to Rijndael’s repre- 
sentation. It is interesting to note that the affine matrix of the S box becomes 
lower triangular in this case: 

/ 1 0 000 000 \ 

01000000 
00100000 
t _ 10010000 

11001000 ' 

01100100 

00110010 

(. 00011001 / 

Also, the constant 63 x in the S box becomes 64 x , and the coefficients 03 x , 02 x of 
the MixColumn operation are interchanged (i.e., to 02 x , 03 x ). The coefficients 
0 B x , 0 D x , 09 x , 0 E x are also interchanged in pairs to 0 D x , 0 B x , 0 E x , 09 x . The 
Rcon constants (02.,.)”' 1 are replaced by (03 x )* _1 . 

Thus, we conclude that the choice of the irreducible polynomial of Rijndael 
is arbitrary, and in particular, there is no advantage to selecting a primitive 
polynomial over the current polynomial of Rijndael. 
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5 Log Dual Ciphers 

In this section we discuss dual ciphers, to which we call log dual ciphers. We 
actually describe a family of log dual ciphers, which differ slightly from each 
other. 

Let g be a generator in GF( 2 8 ). Since the cipher works on elements of GF( 2 8 ) 
we can write any element x as an exponent of g, i.e., x = g l . except for x = 0, 
which we define as g~°°. In a logarithmic notation we write: log g x = i, where 
log g 0 = — oo. In the log cipher we use the logarithm representation of the ele- 
ments, instead of the polynomial representation used in the original description 
of the cipher. 

Let x and y be elements of GF( 2 8 ), and let i = log g x, j = log g y. 

We use the notation E ]og n , or shortly E ]og , to denote the log dual cipher. 
The log dual cipher is defined by taking the specifications of the cipher, and 
replacing the following operations: 

1. The operation f(x,y ) = x © y is replaced by the operation f los (i,j) = 

j + T(i — j) (mod 255) or by = i + T{j — i ) (mod 255), where 

T(i) is defined as T(i) = log g (g z ® 1). In cases where — oo appears in / log , 
we define / log (— oo, j) = j, and / log («, — oo) = i. 

2. The operation f(x) = x®c is replaced by the operation / log (i) = k+T(k — i) 
(mod 255) where k = log g c. 

3. The operation f(x,y) = x ■ y is replaced by the operation f log (i,j) = i + j 
(mod 255). If either x or y is — oo, then the result is — oo. 

4. The operation f(x) = x ■ c is replaced by the operation f og (i) = i + k 
(mod 255) , where k = log g c. 

5. The operation f(x) = x m is replaced by the operation / log (i) = i ■ m 
(mod 255). If * = — oo then the result is — oo. 

6. Replacement of the order of elements remains the same replacement of order 
of the elements. 

7. The operation S{x) = LookU pT able[x\ is replaced by the operation 5 log (i) = 
log g (SV)). 

8. The linear transformation L(x) = Ax is treated as a lookup table (like in 
the previous item). 

The definition of log x (0) = — oo is made carefully, ensuring that this definition 
is consistent: When applying the operation j + T(i — j), a — (— oo) might result 
as an argument to T. We define that j + (— oo) = — oo (which corresponds 
to multiplication by 0 in the original cipher or to XOR of a value with itself), 
— oo-c = — oo (which corresponds to an exponentiation of 0 in the original cipher), 
— oo— (— oo) = 0 (which corresponds to 0®0, or to x©0), i— (— oo) ^ j — (— oo) 
for i^j (meaning that — (— oo) does not consume *). T(— oo) = 0, T(0) = — oo. 
T(i — (— oo)) = — (— oo) + i. Note that the — (— oo) is always a result of an 
application of T. Then, another +(— oo) is always waiting to cancel it (as j). 
Therefore, the result of the T operation is always a number or a — oo. 

The following theorem proposes that if P is the plaintext, K is the key and 
the result of encryption of P under the key K with cipher E is C, the result 
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of encrypting log g ( P) under the key log g (iC) with the cipher E ] ° s is necessarily 

l°g fl (C). 

Theorem 2. Let g be a generator in GF( 2 8 ). For any K and P: 

Etl g K^ g P)=log 9 {E K {P)). 

In the context of this paper log g X denotes the log of each byte of X. 

Proof. It suffices to show that for each operation f(x) in E, and the correspond- 
ing operation in E log , which we denote by f log (x), it follows that / log (log g x) = 

log, ,(/(*)) • 

1. f(x, y) = x © y. By definition f° s (i,j) = j + T(i-j) = j + log g (g l 2 ~ 3 4 5 6 7 8 ® 1) = 
!og g (g j ■ (y -j © 1)) = log,, (if © g j ) = log ff (x ® y) = log g (f(x, y)). 

2. f(x) = x © c, in the same way as the previous item. 

3. f{x,y) = x -y.lja. this case f° s (i,j) — i + j = log g (g l+J ) = log s (a: • y) = 
log g (f(x,y)). 

4. f(x) = x ■ c, in the same way as the previous item. 

5. f(x) = x c . In this case / log (i) = i- c= log g (x c ) = log g (/(x)). 

6. It is clear that replacing the order of elements after their log-value is taken 
is equal to replacing the order of elements and then taking their log-value. 

7. f(x) = S(x) = LookUpTable[x\. In this case, by definition of / log it follows 
that: / log (f) = S log (i) = log g (S(g i )) = log g (S(z)) = log s (/(*)). 

8. L(x) = Ax is considered like a table in the previous item, and is treated in 
the same way. 

The above equations hold also in the case that — oo is an argument. ■ 

Note that the non-linear part of the ByteSub transformation of Rijndael in 
the log dual cipher becomes very simple (and linear). The non-linear part is 
finding the multiplicative inverse of an element. This operation is replaced by 
negation in the log dual cipher: 


x 1 — » —i. 

The T transformation is non-linear. It has interesting properties. Here are 
some of the properties of the T transformation: 

1 . T(x) — T(—x) = x 

2. T( 2x) = 2 T(x) (therefore, Vi,T( 2*x) = 2 *T(x)) 

3 . T(T(x)) = x 

4. Let g = g' y ,yT g (x) = T g >(yx) 

5. T g = T g2 i 

6 . T(x) = -T(-T(-x)) 

7. T( 85) = 170, T(170) = 85, and if T(x) = x/2 then x e {85, 170}. Note that 
85/2 = 170 (mod 255) 

8. T(0) = -oo. 



170 Elad Barkan and Eli Biham 


Table 1. The Table T(x) with the generator 03 x with the irreducible polynomial 11 B x 
(Rijndael). 


T[x\ 


25 

68 

15 
197 
162 
160 
190 

76 

239 

16 
108 
134 

28 

91 

36 

210 


2 3 4 

50 223 100 

240 92 42 
136 32 225 

2 238 141 
30 216 17 
59 57 40 
139 13 4 

166 243 214 
69 56 60 
217 53 206 
65 182 118 

151 37 124 
125 72 23 

241 171 78 

152 165 77 
86 115 234 


5 6 7 8 9 10 

138 191 112 200 120 21 

10 235 196 254 1 198 

179 184 106 84 157 20 
147 208 63 131 83 107 
130 64 109 195 236 103 
170 242 167 175 203 62 

47 221 74 27 248 39 
122 164 153 9 43 117 

250 177 144 34 46 5 

188 143 178 226 119 201 
227 114 87 80 156 85 

29 163 123 38 249 61 

49 26 75 8 154 94 

233 116 44 67 146 142 
172 231 230 173 213 244 

11 111 192 105 185 133 


11 12 13 14 15 
245 127 99 224 33 
104 193 181 66 45 
121 215 31 137 101 
82 132 186 90 55 
199 113 228 212 174 
209 19 158 202 176 
58 161 71 126 246 
183 180 194 110 12 
98 128 52 218 150 
159 169 41 93 155 
211 229 232 79 88 
204 149 219 97 6 

89 187 207 148 205 
189 252 102 237 3 

22 73 222 51 129 
96 220 48 24 — 




T[i - (-oo)] = -(-oc) + i 


9. T(-oo) = 0. 

10. T(x) = T(x ± 255) - The cycle size of T is 255. 


Proofs of the properties of T(x) will appear in the full paper. 

The table of T(x) with the generator 0.3. c is described in Table Q] 

Each one of the 240 mentioned representations of Rijndael has the same set 
of 128 log dual ciphers. 


6 Self-Dual Ciphers 

We mention that any cipher is trivially dual to itself. However, it is possible to 
find ciphers that are self-dual in a non-trivial way. One such interesting family of 
dual ciphers is square dual ciphers. Let E be a square self-dual cipher. It follows 
that: 

(E K (P)) 2 = E K2 (P 2 ). 

This means that each constant is the square of itself. In GF(2 S ) it means 
that the constants are either 0 or 1. 

If we take Rijndael as an example, we need to change the constant 63 x in the 
affine transformation in the S box to either 00 7: or 01 x . We would also need to 
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change the constants of the mix column operation. A possible alternative matrix 
for the mix column operation, whose entries consist of only 0’s and l’s is: 



In the key expansion we need to change the round constant. Any selection 
of values from {0 X , l x } can be made for the Rcon constants. There are various 
such selections that can still prevent related key attacks. 

We can replace the affine transformation to a self-dual one. We can easily find 
8 affine transformations that are self-squares: The matrix Q (shown in Eq. ©) 
is the square of itself under our definition, since Q 2 = Q(Q)Q 1 = Q. The order 
of Q is 8, therefore, we can easily find 8 self-square affine transformations: Q, 
Q ■ Q, Q ■ Q ■ Q, . . . , Q ■ Q ■ Q ■ Q ■ Q ■ Q ■ Q and Q ■ Q ■ Q ■ Q ■ Q ■ Q ■ Q ■ Q = I. 
Notice that all the linear combinations with coefficients from {0 X , l x } of these 
matrices, are also self-squares matrices. Therefore, there are 256 such self-square 
matrices. Detailed analysis shows that these are all the self-square matrices. Of 
these 256 matrices only 128 matrices are involutions. 

6.1 Higher Order Self-Dual Cipher 

In Section El we introduced the square self-dual cipher. In a similar way we can 
define the 4’th power self-dual cipher. Let E be a 4’th power self-dual cipher. It 
follows that: 


(E K (P)) 4 = £ K 4(P 4 ). 


This means that each constant is the 4’th power of itself. There are 4 such 
elements: the elements 0 and 1, and the two elements of order 3 (which are g 85 , 
g 170 , where g is a generator). 

We need the affine transformation to be self-dual, and therefore: A 4 = Q ■ Q ■ 
(A) • Q _1 • Q _1 = A. We can see that Q,Q-Q,Q-Q-Q, ...,Q-Q-Q-Q-Q-Q-Q 
and QQQQQQQQ = I solve it much like for the square self-dual cipher, 
along with all their linear combinations, with coefficients from {0 X , l x , g 85 , g 170 } 
(which is GF( 2 2 )). The total number of linear combinations is 2 16 , of which 
3 • 2 13 are involutions. 

For the 16’th power square self-dual cipher all the constants should be 0, 1, 
and all the 14 elements of orders 3, 5, and 15. The 16’th power square self-dual 
matrices are all the linear combinations of the Q l matrices, with coefficients from 
the above constants. The total number of 16’th power square self-dual matrices 
is 2 32 , of which 7 • 5 ■ 3 2 • 2 22 matrices are involutions. Fortunately, Rijndael’s 
matrix is none of these matrices. 
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6.2 Cryptanalysis of Self-Dual Ciphers 

The self-dual property of a cipher can be used to mount an attack which reduces 
the complexity of exhaustive search by a factor of about 8 in the case above 
(or by a factor of the number of the self-duals in the more general case). For 
example, if the key size is 128 bit, exhaustive search takes 2 128 operations, and 
the attack we propose requires about 2 125 operations. If we consider the expected 
time to complete the attack, exhaustive search takes about 2 127 , and our attack 
takes about 2 124 operations. 

It is interesting to note that the number of rounds of the cipher does not 
affect the complexity of this attack. 

By using the following chosen plaintext attack the key can be discovered in 
2 125 operations using 8 chosen plaintexts. 

The attack takes advantage of cycles of keys under the squaring operation: 
A cycle is a set of keys where each key is the square of its predecessor, i.e., 
{K 1 , K' , . . . , K' }, and where the square of the last element equals the first 
element : K' = K ' 2 . Note that the possible cycle lengths are 8, 4, 2, and 1. 

1. Choose a plaintext P, and compute P, = P 2 ’, for i = 0, . . . , 7. 

2. Ask for the encryption of Po, . . . , P7, and denote the corresponding cipher- 
texts by Co, . . . , C7. For every i, compute Q = (C*) 2 *, where the square 
root is defined to be the operation that finds for every byte its square root 
in GF( 2 8 ) (there is only one square root for each value). 

3. Choose one key K' in each cycle, and compute C = E K '{Po)- If C = C, for 
some i G {0, . . . , 7}, K ' 2 is a candidate to be K. Otherwise, K is not one of 
{K' 2i }. 

An equality C = C{ in step 3 ensures that encryption of P; under the key K ' 2 
gives Cf. If C = Ci, then C 2 ' = Cf = C\. Therefore, C 2 ‘ = (E K ,(P () )f = C t = 
E k {Po ) = E 2 ’ k(Pq'). From the self-duality property it follows that: K = K ' 2 
(or that this is a false-alarm) . 

Note that the correct key is always found by this method, since for the 
correct key K: E K (P 0 ) = C 0 . The self-duality property implies that this happens 
if and only if for any i, E R2 , (P f 2 ‘) = C, 2 * . For each cycle, for example, for 
{K', K ' 2 , . . . , K ' 2 }, we test only one key. If this key is K, then we would find 
it on the first equation. If one of the other keys is K, then the corresponding 
equation holds. So by checking one key out of a cycle we cover the whole cycle. 

We test about 8 keys for every trial encryption. It is easy to choose the keys 
K in such a way that we choose only one key out of each cycle of keys. Therefore, 
this attack finds the key in about 2 125 time. In the full version of this paper we 
analyze the complexity of the attack and show how to enumerate the keys (choose 
only one key of each cycle), and show that the total number of cycles, and thus, 
the maximal complexity of this attack, is 2 125 + 2 61 + 2 30 + 2 15 , using 8 chosen 
plaintexts. The average case complexity is 2 124 + e where £ = 2 -4 + 2 -67 + 2 -98 . 

We note that a similar attack can be designed for higher order self-dual 
ciphers. 
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7 Application to Other Ciphers 

Square [7], Scream [10], Anubis [2], Crypton [13] and Khazad [3] are all EGF( 2 8 ) 
ciphers. E2 [16] (without the initial and final permutations), and Camellia [1] 
(with different key scheduling and different FL) are also EGF( 2 8 ) ciphers. Thus, 
our results hold to these ciphers as well. 

Our work can be extended to include ciphers such as Safer++ [14]. The 
only operation in Safer++ that is not a EGF{ 2 8 ) operation is addition mod- 
ulo 256: f(x,y) = x + y (mod 256). For the square dual cipher, we can define 
f 2 (x 2 ,y 2 ) = (f(x,y)) 2 . f 2 can be implemented by f 2 (x,y) = Qf(Q~ 1 x,Q~ 1 y). 
This results in a substitution table of size 2 16 . 

It should be noted that since Safer+- 1- does not use GF( 2 8 ) multiplications 
or exponentiations, the irreducible polynomial is irrelevant. For such a cipher, 
we can create a wide range of dual ciphers by using any invertible binary matrix 
Q of size 8x8. The operation f Q (x) is defined as f Q (x) = Qf(Q~ 1 x). For 
operations with two parameters f®(x,y) = Qf(Q~ 1 x,Q~ 1 y). A constant c is 
replaced by Qc. This change does not fundamentally change the differential [4] 
properties of such functions, since Q and Q~ x are linear and invertible. 

If we take E2, and remove the initial and final transformations, the affine 
operation, and also change the u_i value of the key scheduling to be composed 
only from 0’s and l’s, then E2 is a self-dual cipher. That means that the attack 
we present in this paper is also applicable to this variant. 

8 Other Applications 

A possible application of dual ciphers is for developing differential [4] or lin- 
ear [15] attacks. In such cases the insight gained from the dual ciphers can be 
used to attack the dual cipher, an attack which can be easily transformed to the 
original. A possible example for such insight might be the simplification of the 
affine transformation in the S box to a triangular matrix (see Section 0), which 
reduces the effect of modifying bits in the input on the resultant output of this 
transformation. 

An other interesting application of dual ciphers might be an optimization 
of the speed of the cipher, as in some cases the dual cipher might actually be 
faster to compute than the original cipher! For example, many ciphers include 
multiplications by constants. The Hamming weight and the size of the constant 
has implications on the implementation efficiency. Thus, finding a more efficient 
dual cipher might be a good optimization strategy. Also, in some cases encryption 
might be fastest using one dual cipher, and decryption be fastest using another 
dual cipher. 

The existence of dual ciphers can also be used to protect implementation 
against fault-analysis [5] and power-analysis [12], by selecting a different dual 
cipher at random each time an encryption or decryption is desired. 
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9 Summary 

In this paper we show how to write many different implementations of Rijndael 
using its various dual ciphers. We describe hundreds of non-trivial dual ciphers of 
Rijndael, many of them differ from Rijndael only by the replacement of constants. 
We also discuss an attack on self-dual ciphers. 

We conclude that the irreducible polynomial of Rijndael is chosen arbitrar- 
ily, and that it is possible to replace the irreducible polynomial of Rijndael by 
any other irreducible or primitive polynomial without changing the strength of 
cipher, and even without changing the cipher itself. 
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Abstract. Rijndael-like structure is a special case of SPN structure. 

The linear transformation of Rijndael-like structures consists of linear 
transformations of two types, the one is byte permutation 7r and the 
other is linear transformation 0 = (01,02,03,04), where each of 0; sep- 
arately operates on each of the four columns of a state. Furthermore, 

7r and 0 have some interesting properties. In this paper, we present a 
new method for upper bounding the maximum differential probability 
and the maximum linear hull probability for Rijndael-like structures. By 
applying our method to Rijndael, we obtain that the maximum differen- 
tial probability and the maximum linear hull probability for 4 rounds of 
Rijndael are bounded by 1.06 x 2 -96 . 

1 Introduction 

SPN (Substitution and Permutation Network) structure is one of the most com- 
monly used structure in block ciphers. SPN structure is based on Shannon’s 
principles of confusion and diffusion Q| and these principles are implemented 
through the use of substitution and linear transformation, respectively. 

Rijndael j2|, Crypton fl 211 :ij and Square |0j are the block ciphers composed of 
SPN structures. They have a common point for the type of their linear transfor- 
mations. Each of their linear transformations consists of linear transformations 
of two types, the one is byte permutation tt and the other is linear transforma- 
tion 0 = (0i, 02, 03, 04), where each of 0,; separately operates on each of the four 
columns of a state. Furthermore, each of bytes of each column of y = tt(x) comes 
from each different column of x, and we can determine the branch number of 
each of 0,. In this paper, we call such a SPN structure Rijndael-like structure. 

The security of SPN structures against differential cryptanalysis and 
linear cryptanalysis m depends on the maximum differential probability and 
the maximum linear hull probability. In HU, Keliher et al. proposed a method 
for finding the upper bound on the maximum average linear hull probability for 
SPN structures. Application of their method to Rijndael yields an upper bound 

Y. Zheng (Ed.): ASIACRYPT 2002, LNCS 2501, pp. 176- IT5T1 2002. 
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of 2 75 when 7 or more rounds are approximated. In uni, it was proposed that 
the improved upper bound on the maximum average linear hull probability for 
Rijndael when 9 or more rounds are approximated is 2 -92 , corresponding to a 
lower bound on the data complexity of 2 97 . This is based on completion of 43% of 
the computation. It is estimated that the running time to completion is 200,000 
hours on a single Sun Ultra 5. 

In this paper, we present a new method for upper bounding the maximum 
differential probability and the maximum linear hull probability for Rijndael- 
like structures. We prove that the maximum differential probability for 4 rounds 
of Rijndael-like structures is bounded by 4p 19 + 6p 18 + 4p 17 + p 16 , when the 
maximum differential probability for S-boxes is p(< 2 -3 ). Also, we prove that 
the maximum linear hull probability for 4 rounds of Rijndael-like structures is 
bounded by 4 q 19 + 6q is + 4 q 17 + q 16 , when the maximum linear hull probability 
for S-boxes is q(< 2 -3 ). By applying our method to Rijndael, we obtain that 
the maximum differential probability and the maximum linear hull probability 
for 4 rounds of Rijndael are bounded by 1.06 X 2 - 96 . 

2 SPN Structures 

One round of SPN structures generally consists of three layers of key addition, 
substitution, and linear transformation. On the key addition layer, round sub- 
keys and round input values are exclusive-ored. Substitution layer is made up of 
n small nonlinear substitutions referred to as S-boxes, and linear transformation 
layer is a linear transformation in order to diffuse the cryptographic character- 
istics of substitution layer. A typical example of one round of SPN structures is 
given in Figure [fl 

On r rounds of SPN structures, the linear transformation of the last round, 
generally, is omitted, because it has no cryptographic significance. Therefore, 2 
rounds of SPN structures is given in Figure 0 

S-boxes and linear transformations should be invertible in order to decipher. 
Therefore we assume that all S-boxes are bijections from Z™- to itself. More- 
over, throughout this paper, we assume that round subkeys are independent and 
uniformly distributed. 

Let S' be an S-box with m input and output bits. Differential and linear 
probability of S are defined as the following definition: 



Fig. 1 . One round of SPN structures 
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Definition 1. For any given a,b,r a ,r b G Z™ , define differential probability 
DP s (a,b) and linear probability LP S (r a , T;,) of S by 

DP s { a b) = #1^ g Z 2 \S{x) 9 S(x ®a) = b} 

and 

L p s (r„, r„) = ( fci _ j) 2 , 

respectively, where x ■ y denotes the parity ( 0 or 1) of bitwise product of x and y. 
a and b are called as input and output differences, respectively. Also, P a and 
are called as input and output mask values, respectively. 

The strength of an S-box S against differential cryptanalysis is decided by 
maximum differential probability max a ^ 0 ,6 DP s (a, b). The strength of an S- 
box S against linear cryptanalysis is decided by maximum linear probability 

m axr a ,r„^o LP s (r a , r b ). 

Definition 2. The maximum differential probability p and the maximum linear 
probability q of S are defined by 

p = max DP S (a, b) 
a^O ,b ' 

and 

q= max LP s (r a , TJ,), 
r a ,r 6 #o 

respectively. 

The maximum differential probability p and the maximum linear probability 
q for a strong S-box S should be small enough for any input difference a f 0 
and any output mask value P b ^ 0. 

Definition 3. Differentially active S-box is defined as an S-box given a non-zero 
input difference and linearly active S-box is defined as an S-box given a nonzero 
output mask value. 
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Since all S-boxes in substitution layer are bijective, if an S-box is differen- 
tially/linearly active, then it has a non-zero output difference/input mask value. 

For SPN structures, between the differential probability and the number 
of differentially active S-boxes, there is a relationship which is close. When the 
number of differentially active S-boxes is many, the differential probability comes 
to be small, and when the number of differentially active S-boxes is small, the 
differential probability comes to be big. Therefore, the concept of the branch 
number was proposed 0. We call it the branch number from the viewpoint of 
differential cryptanalysis, the minimum number of differentially active S-boxes 
of 2 rounds of SPN structures. Also, we call it the branch number from the 
viewpoint of linear cryptanalysis, the minimum number of linearly active S-boxes 
of 2 rounds of SPN structures. 

The linear transformation L : (ZI 2 n ) n — > (Z™) n can be represented bynxn 
matrix M = (rriij) and L{x) = Mx, where x G (Z 2 n ) rl and the addition is bitwise 
exclusive-ored. For the block cipher E2 m and Camellia [Q. rriij G Z 2 and the 
multiplication is trivial. For the block cipher Crypton It 21 1 ,'lj . rriij G Z™ and the 
multiplication is the bitwise logical-and operation. For the block cipher Rijndael 
0 , rriij G GF(2 m ) and the multiplication is defined as the multiplication over 
GF( 2 m ). 

It is easy to show that L(x) ®L(x*) = L(x®x*) and DP L (a,L(a )) = 1 |5J. 

Definition 4. Let L be the linear transformation over (Z 2 l ) n . The branch num- 
ber of L from the view point of differential cryptanalysis, (3d, is defined by 

f3 d = min xl t 0 {wt{x) + wt(L(x))}, 
where, wt(x) = wt(x 1 , 2 : 2 , . . . , x n ) = #{1 <i< n\xj ^ 0}. 

Throughout this paper, we define wt(x) = wt(x i,x 2 , ■ ■ ■ ,x n ) = #{1 < i < 
n\xi ^ 0} when x = ( xi,x 2 , • • • ,x n ). If x G Z™, then wt(x) is the Hamming 
weight of x. 

It is proved that, if my G Z 2 , then LP L (M t r b . r h ) = 1. Therefore, we know 
that LP L (r a , (M-yTa) = 1 . Also, if my G GF(2 m ), then it is proved that 
LP l (F 0 , CF a ) = 1, for some nx n matrix C over GF(2 m ) j2j. Therefore, we 
can define the branch number Pi from the view point of linear cryptanalysis as 
follows: 


Pi 


minr a ^o{wt{r a ) + wt((M 1 ) t J' a )}, if my G Z 2 , 1 < i, j < n, 
minr a jto{wt(r a ) + wt(Cr a )}, if my G GF(2 m ), 1 < i, j < n. 


3 Rijndael-Like Structures 

Rijndael is the block cipher composed of SPN structures and its linear transfor- 
mation consists of ShiftRows transformation and MixColumns transformation. 
We analyze some interesting properties of ShiftRows transformation and Mix- 
columns transformation of Rijndael. 
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Fig. 4. Another representation of ShiftRows transformation of Rijndael 


Let 7 r : (Z|) 16 — > (.Zf) 16 be the ShiftRows transformation of Rijndael. Let 
x = ( xi,X 2 ,% 3 ,X 4 , ) = (i£ii,:ri2)2h3>2 : i4) £21, • • • , %34, ^41, £42, £43, £44) be the input 
of 7 r. Figure 0 and 0 illustrate the ShiftRows transformation 7r of Rijndael. 

Let y = (2/1 ,2/2, 2/3 ,2/4) = (2/11,2/12,2/13,2/14, 2/21, ■ • •, 2/34, 2/41,2/42,2/43,2/44) be the 
output of 7r. It is easy to know that, for any i(i = 1,2, 3, 4), each of bytes 
of 2/i comes from each different x,; . For example, for y\ = (2/11,2/12,2/13) 2/14) = 
(xn, X22, x'33, X44), in is a byte coming from X\. Furthermore, x'22, X33 and X44 
are elements of 22, 23 and 24, respectively. 

The MixColumns transformation of Rijndael operates on the state column by 
column, treating each column as a four-term polynomial. Let 9 = (61, 62, 03 , 64) 
be the MixColumns transformation of Rijndael. Let y = (1/1, 2/2, 2/3) 2/4) = (z/11 > 
2/12, 2/13, 2/14, 2/21, • • -, 2/34, 2/41,2/42,2/43,2/44) be the input of 0 and 0 = (21,22,23,-24) 
= (211, 212,243, 244, 221, • • •, 234, 241,242,243,244) be the output of 9, respectively. 
Each of 9i can be written as a matrix multiplication as follows: 

( 2/iA / 02 03 01 01\ /2iA 

ya 1 01 02 03 01 2 i2 

2/i3 01 01 02 03 ' U i3 • 

2/14/ V 0301 01 02 / VW 

In the matrix multiplication, the addition is bitwise exclusive-ored and the mul- 
tiplication is defined as the multiplication over GF( 2 8 ). Figure 0 illustrates the 
MixColumns transformation 9 of Rijndael. We can consider each of 9i as a linear 
transformation and we know that the branch number of each of 9i is 5. 

Definition 5. Rijndael-like structures are the block ciphers composed of SPN 
structures satisfying the followings: 

(i) Their linear transformation has the form (#1, 92 , ^3, #4) ° tt. 
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Fig. 5. The MixColumns transformation of Rijndael 


(ii) (The condition of n) Each of bytes of yi comes from each different x*, 
where x = (xi,X2,X3,x 4 ) is input of n and y = (2/1 , 3/2 5 2/3 ^ 2/4) output of 
7 r, respectively. 

(Hi) (The condition of 9 = {0\,02,0 3 ,0 4 )) When we consider each of Oi as a 
linear transformation, the followings hold: 

P 6 ff = Pa = Pd = Pd and Pi 1 = Pi 2 = Pt 3 = Pi*- 

Rijndael, Square and Crypton are examples of Rijndael-like structures. 

Definition 6. For x = (x-i, , x n ), the pattern of x, y x , is defined by j x = 
(71, . . . ,7 „) G Z%, where, if aq = 0 , then 7* = 0 , and if aq 7^ 0 , then % = 1 . 

If x = (xi, X2, X3, X4), where xi ^ 0 , X2 ^ 0 and X3 = X4 = 0 , then 7 x = 
(1, 1,0,0). 

Definition 7 . Let x = (xi, X2, X3, X4) be the input ofn and y = (yi, 2/2, V3,Va) be 
the output of n, respectively. For arbitrary 7 G Z\ and u= (ui,U2,u 3 , u 4 ) G Z 4 , 
We define IV [7, u] as following: 

iV[7,Tt] = #{2/ = 7r(x)|7 x = 7 ,wt(yi) = Ui,l<i< 4 }. 

IV [7, u] means the number of y = 7r(x) such that wt{y() = uff 1 < i < 4 ), 
when the pattern of input of n is 7. IV [7, u] is well-defined and, for any linear 
transformation which satisfies the condition of n, the values of IV [7, u\ are all 
the same for some fixed 7 and u = (iq , u 2 , M 3 , m 4 ). The followings are the main 
properties of IV [7, u]: 

— For some i, if u* > wt( 7), then IV [7, u] = 0 , because wt(yi) < wt (7^). 

— If u\ + U2 + U3 + u 4 < wt( 7), then IV [7, u] = 0 , because Yli=i w Kyi) = 

wt( x i) > wt^x). 

— If max{ui, . . . ,Ui} = wt( 7), then IV[7, u] = • • • { w ^)- 

— For any permutation <p and p over { 1 , 2 , 3 , 4 }, 

-^[(71,72,73,74), (ui,U2,U 3 ,Ui)] 

= -^[(70(1) , 70(2) , 70(3)70(4) ) , (u p ( 1 ) , Up( 2 ) , «p( 3) , «p( 4) )] 
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Example 1. For some 7 and u, it is easy to determine the value of N[ 7 , u}. The 
followings are the examples: 

- JV[(1, 1, 1, 0), (4, 1, 0, 0)] = 0. 

- JV[(1, 1,1,0), (1,1,0, 0)] = 0. 

- JV[(1, 1, 1,0), (3,2, 2,0)] = 9. 

- JV[(1, 1,1,0), (2, 1,0,0)] = 3. 


4 The Upper Bound on the Differential and the Linear 
Hull Probabilities for Rijndael-Like Structures 


To compute the upper bound on the maximum differential probability for r(r > 
2) rounds of Rijndael-like structures, we assume the following: 

/3 ® 1 = f3 9 d 2 = /3 e d 3 = p e / = 5 and /3 ® 1 = /3f 2 = /3f 3 = /3f 4 = 5. 


and we need the following notations: 

— a = (ai, . . . , <24) = (cin, di2, di3, di4, . . . , d4i, 042, d43, d44): input difference. 

— fe = (61, . . . , 64) = (fen, &i2, fei3, fei4, • ■ • , &41, 642, &43, 644): output difference. 

— DP r (a, fe): differential probability of r rounds whose input difference is a and 
output difference is fe. 

_ _(i) _ r J0 J0 n _ r _(0 JO JO JO 

X —1^1 ,...,X 4 ) — , J. 12 , x 13 , j. 14 , 

of 7r at i-th round. 

) = {Vn , Vi2 . Via , V 14 - • ■ ■ . 2/41 . Va2 , 2/is ,1/S ): the output 
e. the input of 6 at i-th round. 


« 4 i > 4 , 2 > 4,3 > 42) : the input 


of 7r at i-th round, i 


- 4 «) = 0 ! 

of 0 at i-th roirnd. 




,(0 JO JO JO 


Ji) JO JO JOi 


the output 


When the branch number is n or n+ 1, it is known that the upper bounds of 
the maximum differential probability and the linear hull probability for 2 rounds 
of SPN structures are as follows: 

Lemma 1 (f5U3j). 

— If f3d = n + 1 or n, then DP 2 (a, fe) < p Pd ~ 1 . 

- If pi = n + 1 or n, then LP 2 (r a , P b ) < g*" 1 . 


The upper bound on the maximum differential probability for 2 rounds of 
Rijndael-like structures is obtained by Lemma 

Theorem 1. 


DP 2 (a,b ) < 


'pWt {7, ( ai)b3<,-t) 5 

0, 


if 77T(a) = 7 b, 
otherwise. 
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Proof. Let n (a) = Then DP 2 (a,b ) = nf =l DP%* (a*, bp, where, 

DP. j 4 is the differential probability of 2 rounds of SPN structure whose linear 
transformation is 6,. By LemmaQl we know that the upper bound on DP®* (a*, bi) 
is the followings: 

DP e /{a*M) < | 1 , 

Therefore, the proof is completed. 

By Theorem |3 the upper bound on the maximum differential probability for 
2 rounds of Rijndael-like structures is p^ d ~ x . By applying Theorem [T] to Rijndael, 
we obtain that the maximum differential probability for 2 rounds of Rijndael is 
bounded by 2 -24 , because Pd = 5, p = 2 -6 . 

Now, we compute the upper bound on the maximum differential probability 
for 3 rounds of Rijndael-like structures. To do this, we prove the following: 
Lemma 2. Let L : (Z™) n — > {Z 2 l ) n be the linear transformation whose branch 
number is fid- For , y£Z 2 andb= (b\,...,b n ) € (Z™) 71 withwtfy)+wt(b) > Pd, 
we define the set A as following: 

A = {y = (2/i, • ■ ■ , y n ) § (Zf?) n \y y =76 ,y — L(x) for some x such that ~/ x = 7}. 
Then, the following holds: 

]T DP^y, b) = Y l Dp (y 1, **)*•• DP{y n , b n ) < p max{o,/3 d -^( 7 )-i} 

yeA yeA 


if a* + 0, 6i ^ 0, 
if a* = 0, = 0, 
otherwise. 


Proof. Since '£ veA DP 1 (y,b) < T, y e(z™)" DPi (y, b) = 1 , it is sufficient to con- 
sider the case pd — wt(pf) — 1 > 0. Without loss of generality, we assume that 
wt(b) = k and bi ± 0, . . . , bk ^ 0, bk+i = ••• = &„ = 0. Then 

E DP i(w. fe ) = E Dp (vM • ■ ■ Dp (y*’ (i) 

»e.A yeA 

We proceed the proof with two cases: wt^+wtfi) = Pd and wt^+wtfi) > Pd- 

(Case 1: wt( 7) + wt(b) = Pd). For any i{l < i < k), let 2/i,i, Z/i,2, • • • ,y%,s be all 
possible values of yi in Equation (HJ. Then, for each i{l < i < k), 3/i,i, 2/i,2, • . . , yi.s 
are distinct, because L is linear and wtfy) +wt(b) = pd- If, for some i(l < i < k), 
2/i, l) 2/i, 2, • • • , 2/i,<5 are not distinct, then there exist a pair (2/i,i> 2/i,i') such that 
2/i,i = 2/i,i') where yjj is i-th component of y = L(x) and 7,7 is i-tli component 
of y' = L(x'), respectively. Since L(x) ® L(x') = L(x ® x'), i-tli component of 
L(x ® x') is equal to zero. This is a contradiction of the definition of branch 
number. Therefore, we can establish the following: 

E DP ^ b) < v k ~ x E DP (yiM < v k ~ Y = 

yeA yeA 
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(Case 2 : wt{ 7) + wt(b) > Pd)- In this case, 2/i,i)2/i,2) ■ . . ,2/^5 are not necessarily 
distinct, We fix t = k + wt( 7) — pd components of nonzero components of y, i.e., 
2/i, 2/2, ■ ■ • , yt- Then, all possible values of each of another components (2/t+i, ■ ■ ■ , 
2/fc) are distinct. Therefore, we can establish the following: 

yeA 

2 m — 1 2 m — 1 

< 53 DP(ji, 60 ' ' • E E ^(lft+1, ftt +0 ■ • • £>P(2/ fc , M 

ii=i it=i 2/eA 5 2/i=ii,i<i<t 

2 m — 1 2 m — 1 
^ DPfabi)-- E DP(j t ,b t ) E 

Ji=l ii=l 

2 m — 1 2 m — 1 
E DPihM)--- E Dp (jt,bt) 

jl=l jt=l 

= p k ~ t ~ 1 =p ^d-«rt(7)-l. 


Theorem 2 . Tet = l and wt(b) = k. Let 6 tt , . . . , b tk be the nonzero 

components of b= (bi, 62 , 63 , 64 )- T/ien 

DP 3 (a,b) 

<p l (hd- 1 ) E E NbV(a))(wi,W 2 ,« 3 ,« 4 )] ■p^'*= lInax { 0 ’^‘‘- J ’ < - 1 }, 

ji=hd.-wt{b tl ) j k =Pd-wt{b tk ) 


where, each of Ui{l < i < 4) is f/ie following: 


if i = t s for some t s 
otherwise. 


Proof. Without loss of generality, we assume that ti = 1 , . . . , tk = k. By Theo- 
rem [I] 

DP 3 (a,b) = Y J DPi{a,xM)DP 1 {z( 2 \b) 

= E T>P2(a,x (2) )PPi(^ (2) ,6) 

max DP 2 (a,x {2) )Y^DPi{z {2 \b) 

< pi(Pd-i) e D p 1 ( z ( - 2 ') ,b), 

where, = L(x^) = (0i(y^),02(y^),0 3 (y^),64(y^)). Furthermore, the 
following three conditions hold: 
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(i) l z f) = 7&i , • • ■ 7 g C»> = lb k , 7 z C=) i = • • • = 7 z (2) = 0, 

(ii) yf ] ± 0, . . . , yfV 0 ,4+i = • • ' = yi 2) = 0, 

(iii) %W =7 tt(o)- 

For each i(l < i < k), since yf ] and zf^ are the nonzero input and nonzero 
output of 0i, respectively, we know that wt{y + wt{z ( 'p) > fid- Furthermore, 
since wtfbf) = wt(z^), we know that wt(y^) + wt(bi) > (3d- Therefore, since 
wt(y j 2 ) < wt(y x ( 2 ))- we can establish the following equation: 

fi d - wt(bi) < wt(yP | < «rf(7*-{a)),i <i<k. 

Now, we consider j,*(l < i < k) such that f3 d — wt(bi ) < j* < wt( y n (a)). For 
(71, . . . , 74) which satisfies that if 1 < i < k, then wt(y/i) = ji and if k + 1 < i < 4, 
then wt{^i) = 0, we define the set A( 7l] ... j74 ) as following: 

A 71 ,..., 74 ) = {* (2) = (4 2) , • • • , 4 2) )l7,(2) = To 1 < i < 4} 

where, z^ 2> satisfies the three conditions (i), (ii) and (iii). 

The set A( 7li ..., 74 ) can be empty set, but, the number of non-empty set 
A71, ■■■,74) is N [ 7 n ( a ),( ji ,---, jk , 0 , - - - , 0)]. If A (71) ... i74 ) is not empty set, by 

Lemma El 

£ DPi (z & , b) = £ DP 1 (4 2) , h) • • • £ DP 1 (4 2 > , b k ) 

z(2 ) GA (71,-,74) z[ 2) 

< ZZ£p m a*{0A-i*-lJ. 

Therefore, 

h=Pi-wt(bti) ik=Pd-wt(b tk ) 

Therefore, the proof is completed. 

To derive the upper bound on the maximum differential probability for 4 
rounds of Rijndael-like structures, we prove the following three lemmas: 
Lemma 3. Ifwt(y w ( a )) = 2 ,wt(b) = 3, then DP^(a,b) < 4p 19 +6p 18 +4p 17 +p 16 . 
Proof. We assume that 7 & = (1,1, 1,0). Then we can represent DPi{a,b) as 
following: 

DP 4 (a,b) = £ E)Pz(a, x^)DP\(z^\b) 


= £ £ DP 3 (a, x^)DPi(z^ 3 \b) 

:=! + // + Ill + IV. 
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We know that wt(y^) < wt{x = wt{ 7^)) = 2 and wt{zf^) = wt(x^) < 
wt(b) = 3. Since (3 e d * = 5, wt(x^) = 3, where is nonzero component of xS 3 K 
Now, we compute the value of 7. We can represent 7 as following: 

7 = DP 3 (a,x (3) )DP l (z( 3 \b) + DP 3 {a,x^)DP 4 {z^ 3 \b) 

7^3) =(1,0, 0,0) 7^(3) =(0,1, 0,0) 

+ Y1 DP 3 (a,x^)DP 1 (z^ 3 \b)+ J2 DP 3 (a,x^)DP 1 (z^ 3 \b) 

7^(3) =(0,0, 1,0) 7^(3) =(0,0, 0,1) 

:= Ji +I2 + I3 + h 

At first, we compute the value of h. Since wt(x^) = 3, by Theorem Q 
2 

max DP 3 (a,x <p 8 V^ -WfaWfo), (j, 0,0, 0)]p 4_J =p 10 . 

7^(3) =(1.0, 1 0,0) “ 

Since wt(x^) = 3 and 7;, = (1,1, 1,0), the number of patterns, {y^\y 2 3 \y 3 3 \o) 
is equal to iV[(l, 1,1,0), (3,0,0, 0)] = 1. For the pattern (71,72,73,0), by Lemma 

0 


53 DP\(z^ 3 \b) 

7^(3) =(1,0, 0,0) 

= 53 DP^M) 53 DP 2 (4 3 \b 2 ) 53 DP 3 (z 3 \b 3 ) 


< pl2-{ w t('yi)+ w t('v 2 )+wt('y 3 )) <p 9 
Therefore, 


h < max DP 3 (a,xW) V TTPA.z®, 6) < p 19 . 

~~ 7,(3) =(1,0, 0,0) ^ ' 

' 1 '*C3) = ( 1 ,o,0,a) 

By applying the same method, it can be determined that the upper bounds of 
7-2, /3 and 7 4 are the same with that of 1 \ . Therefore, we arrive at 7 < 4p 19 . 
Furthermore, using the same method, we have that 77 < 6p 18 and 777 < 4p 17 . 
At last, the upper bound on IV can be computed by Theorem 01 as follows: 

IV < max DP 3 (a,xW) 

Wt(x( S))=4 

= max ^DP 1 (a,x (1) )DP 2 (z (1 \x^) 

< max ^ max DP 2 (z (1) , x (3) ) < p 16 . 


Therefore, 


DP 4 (a, b) = I + II + III + IV < 4 p 19 + 6p 18 + 4p 17 + p 16 . 
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Lemma 4. Ifwt = 3, wt(b) = 2, then DPi(a,b) < 4p 19 +6p 18 +4p 17 +p 16 . 
Proof. The proof is similar to that of Lemma 3 and is omitted. 

Lemma 5. f/wl( 7 ,r( 0 )) = 3, wt(b) = 3, then DP^{a,b) < 184p 22 + 912p 21 + 
438p 20 + 72p 19 + 4p 18 + p 16 . 

Proof. We assume that 7 & = (1,1, 1,0). Then we can represent DP 4 (a, b) as 
following: 


DPi{a,b) = ^2DP 3 (a,x (3) )DPi(z^\bj 

= Y J2 DP 3 (a,xW)BPi(z m ,b) 

i=i «rt( B (»))=i 

:=/ + // + III + IV. 

We know that wt(y f^) < wt(x = wt( 7^)) = 3 and wt(z^) = wt{x \ 3 ^) < 
wt(b) = 3. Since = 5, wt(x = 2 or 3, where is nonzero component of 
Now, we compute the value of I. We can represent I as follows: 

I = Y DP 3 {a,x^)DP 1 (z^\b}4’ Y DP 3 (a,xW)DP 1 {z&,h). 

7^(3) =(0,1, 0,0) 

Y DP 3 (a,x^ ) )DP 1 (z {3 \b)+ Y DPsi^x^DP^z^^) 
7^(3) =(0,0, 1,0) 7^3) =(0,0, 0,1) 

:= h + h + h + h- 

At first, we compute the value of I\. Since J2i=i wt{x \ 3 ^) > wt(b) = 3, if x ^ ^ 
0, then wt(x^) = 3. Therefore, using the same method as in Lemma 3, we 
know that I\ < p 22 and I < 4 p 22 . Secondly, we compute the value of II. For 
7,,. (3) = (1, 1,0,0), we have the following: 

Y DP 3 (a, x^)DPi(z^ 3 \b) 


= EE E DP 3 (a, x^)DP\(z^\b) 

wt(x^)=i,wt(x^)=j 

Since wt(x^) = 2,wt(x^) = 2, by Theorem 2, 


... max ... DP 3 (a,xW) <p 12 Y N hn(a),(h,j2,0,0)]p S - 

wi(x\ ) )=2,«,t(x< >)=2 J1= 3 j 2=3 

= p 12 • #[(1,1, 1,0), (3,3,0, 0)]p 2 


= P ■ 
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Since wt(x^) = 2,wt(x = 2 and 7 b = (1,1, 0,0), the number of pattern 
whose form is (z[ 3 \ z^ , zf { :>) , 0) is equal to iV[(l, 1, 1,0), (2, 2,0,0)] = 6. For each 
of (71,72,73,0), by Lemma 2, 

E DP x {z&\b | 

7 ( 3 )= 7 », 1<*<3 

= 2 dpM 3> m) E vpM 3) m E D Pl {4 3 \h) 


< pl2-(™t(7i)+™t(72)+wt(73)) = ^8. 

Therefore, E M ,t( j; ( 3 )) = 2 w t( I (3 ))=2 < 6p 8 and we arrive at the follow- 

ing: 

E DP^x^DP^M 

wt(x™)=2,wt(x™)=2 

< max DP 3 (a,x^) E DP 1 {z^,b) 

. t ( 4 3 >)= 2 ,-( 4 3 >)= 2 

< 6p 22 . 

Using the same method, we can have the followings: 

E DP 3 (a,x^)DP 1 (z^ 3 \b) < 3(3 p 15 +p 14 )p 7 , 

wt(x^)= 2,wt(xi 3) )=3 

E DP 3 (a,x^)DPi(zW,b) < 3(3 p 15 + p 14 )p 7 , 

wt(x™)=3,wt(xi 3) )=2 

E DP 3 (a,x (3) )L>Pi(^ 3) ,fr) < (6p 16 + 6p 15 + p 1A )p 6 . 

wt(x™)=3,wt(x™)=3 

Therefore, we arrive at 

E DP 3 (a, x^DP^z^^) < 6p 22 +6(3p 15 +p 14 )p 7 +(6p 16 +6p 15 +p 14 )p 6 

7 a ,(3)=(l,l,0,0) 

and 

II < 6[6 p 22 + 6(3p 15 + p 14 )p 7 + (6p 16 + 6p 15 +p 14 )p 6 ], 

because the upper bound on summation for distinct 7 X ( 3 ) such that wt( 7 x o)) = 2 
is the same as the upper bound on summation for 7 x(3 ) = (1,1, 0,0). Using the 
same method, we have the following: 

III < 4[24 p 21 + 27 (3p 16 + p 15 )p 5 + 9(9p 17 + 6p 16 + p 15 )p 4 
+ (24p 18 + 27 p 17 + 9p 16 + p 15 )p 3 ]. 
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At last, the upper bound on IV can be computed by Theorem 1 as following: 
IV < max DP 3 (a,xW)< max DP 2 (z (1) , z (3) ) < p 16 . 

wt(xW )= 4 u,t(*(3))=4,*(D 

Therefore, we arrive at 

DP 4 (a, b) = I + // + III + IV < 184 p 22 + 912p 21 + 438p 20 + 72p 19 + 4p 18 +p 16 . 
Therefore, the proof is completed. 

Theorem 3 shows the upper bound on the maximal differential probability 
for 4 rounds of Rijndael-like structures and this is the main result of this paper. 


Theorem 3. 

DP 4 {a,b) 

< max{4p 19 +6p 18 +4p 17 +p 16 , 184p 22 +912p 21 +438p 20 +72p 19 +4p 18 +p 16 }. 

Proof. We compute the upper bound on DP 4 {a, b) for the value of wt( 7 W ( 0 )) and 
wt(b). Since fid = 5, if wt( 7 W ( 0 )) + wt(b) < 4, then DP 4 (a, b) = 0. Therefore, it is 
sufficient to compute the upper bound on DP 4 (a , b), when u;f( 7 Jr („)) + '«)f(6) > 5. 

(i) If wt{ 7 7r ( a )) = 4, then, by Theorem 1, 

DP 4 (a,b ) = Y, D M^x i2) )DP 2 {z^\b) < ma *DP 2 {a,xW) < p 16 . 

(ii) If wt(b) = 4, then, by Theorem 1, 

DP 4 (a,b) = Y^DP 2 (a,x( 2) )DP 2 (z( 2 \b) < max T»P 2 (a, x^) < p 16 . 


(iii) If wt{ 7 7r ( a )) = 2 ,wt(b) = 3, then, by Lemma 3, 

DP 4 (a, b ) < 4p 19 + 6p 18 + 4p 17 + p 16 . 

(iv) If wtf'yirta)) = 3,wt(b) = 2, then, by Lemma 4, 

DP 4 (a, b ) < 4p 19 + 6p 18 + 4p 17 + p 16 . 

(v) If wt{'yir( < a)) = 3 ,wt(b) = 3, then, by Lemma 5, 

DP 4 (a, b) < 184 p 22 + 912p 21 + 438p 20 + 72 p 19 + 4p 18 + p 16 . 

When p < 2 -3 , the maximum differential probability for 4 rounds of Rijndael- 
like structures is bounded by 4p 19 + 6p 18 + 4p 17 + p 16 . 

Using the similar method as in Theorem 3, we can compute the upper bound 
on the linear hull probability for 4 rounds of Rijndael-like structures. 
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Theorem 4. 

LP 4 (a,b) 

< max{4g 19 +6g 18 +4 9 17 +g 16 , 184g 22 +912g 21 +438g 20 + 72g 19 +4 9 18 +g 16 }. 


We know that the differential probabilities for 5 rounds of Rijndael-like struc- 
tures are smaller than or equal to the maximum differential probability for 4 
rounds of Rijndael-like structures. 

DP 5 (a,b ) = Y^DP^x^DP^z^ ,b) < max DP4 

Similarly, we know that the differential probabilities for r(r > 5) rounds of 
Rijndael-like structures are smaller than or equal to the maximum differential 
probability for 4 rounds of Rijndael-like structures. Therefore, the upper bound 
on the maximum differential probability and the linear hull probability for 4 
rounds of Rijndael-like structures in Theorem 3 and Theorem 4 is the upper 
bound for r(r > 5) rounds of Rijndael-like structures. 

By applying our method to Rijndael, since p = q = 2 -6 and 84 = 81 = 5, the 
upper bound on DP^a, b) and LP^a, b ) is the following: 

4 x 2 -114 + 6 x 2 -108 + 4 x 2“ 102 + 2“ 96 w 1.06 x 2“ 96 . 

5 Conclusion 

In this paper, we have proposed a new method for upper bounding the maximum 
differential probability and the maximum linear hull probability for Rijndael- 
like structures. We have proved that the maximum differential probability for 4 
rounds of Rijndael-like structures is bounded by 4p 19 + 6p 18 + 4p 17 + p 16 , when 
the maximum differential probability for S-boxes is p(< 2 -3 ). Also, we have 
proved that the maximum linear hull probability for 4 rounds of Rijndael-like 
structures is bounded by 4 q 19 + 6f/ 18 + 4c/ 17 + q 16 , when the maximum linear 
hull probability for S-boxes is q(< 2 -3 ). By applying our method to Rijndael, 
an improved upper bound 1.06 x 2 - 96 is obtained. 
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Abstract. We consider threshold cryptosystems over a composite mod- 
ulus N where the factors of N are shared among the participants as the 
secret key. This is a new paradigm for threshold cryptosystems based on 
a composite modulus, differing from the typical treatment of RSA-based 
systems where a “decryption exponent” is shared among the participants. 
Our approach yields solutions to some open problems in threshold cryp- 
tography; in particular, we obtain the following: 

1. Threshold Homomorphic Encryption. A number of applications (e.g., 
electronic voting or efficient multi-party computation) require thresh- 
old homomorphic encryption schemes. We present a protocol for 
threshold decryption of the homomorphic Goldwasser-Micali encryp- 
tion scheme [34], answering an open question of [21]. 

2. Threshold Cryptosystems as Secure as Factoring. We describe a thresh- 
old version of a variant of the signature standards ISO 9796-2 and 
PKCS#1 vl.5 (cf. [39, Section 11.3.4]), thus giving the first thresh- 
old signature scheme whose security (in the random oracle model) 
is equivalent to the hardness of factoring [12]. Our techniques may 
be adapted to distribute the Rabin encryption scheme [44] whose 
semantic security may be reduced to the hardness of factoring. 

3. Efficient Threshold Schemes without a Trusted Dealer. Because our 
schemes only require sharing of N - which furthermore need not be a 
product of strong primes - our schemes are very efficient (compared 
to previous schemes) when a trusted dealer is not assumed and key 
generation is done in a distributed manner. 

Extensions to achieve robustness and proactivation are also possible with 
our schemes. 


1 Introduction 

Threshold cryptosystems provide for increased security and availability of a par- 
ticular cryptographic protocol by distributing the protocol among a number of 
participants. In a fc-out-of-f threshold scheme, the protocol is distributed in such 
a way that an adversary who corrupts at most k — 1 participants (and learns 
all their local information) still cannot determine the secret key of the system 
or break the underlying cryptographic protocol. On the other hand, increased 
availability is achieved by ensuring that only k participants are needed in order 

Y. Zheng (Ed.): ASIACRYPT 2002, LNCS 2501, pp. 192- 12051 2002. 
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to carry out the computation and deliver the result. Going further, systems can 
be designed in a robust manner, such that even a malicious adversary who causes 
up to k — 1 (k < 1/2) players to deviate arbitrarily from the protocol cannot 
prevent the correct output from being computed. Threshold schemes can also 
be proactivized to withstand the compromise of even all participants over the 
lifetime of the protocol, as long as only k — 1 participants are corrupted during 
each time period; they may also be extended to handle adaptive adversaries who 
decide whom to corrupt at any point during execution of the protocol. 

A long line of research has focused on threshold cryptography, with particu- 
lar emphasis on threshold signature schemes (in many cases, deriving a thresh- 
old decryption scheme from a related signature scheme is easy). The approach 
was initiated by jl 711 81 1 9| . and the first provably secure schemes for RSA- and 
discrete- logarithm-based signature schemes were given in j l fil3(H3, r )] . Subsequent 
work focused on adding robustness to existing schemes [124113 1 132] and on thresh- 
old decryption schemes with security against chosen-ciphertext attacks [147191211] . 

The above protocols are all proven secure with respect to a non-adaptive ad- 
versary who must choose which participants to corrupt before protocol execution 
begins (this is the type of adversary we consider here). Many recent works have 
dealt with stronger classes of adversaries, including adaptive j2l/j and proactive 
ID adversaries. We refer the reader elsewhere for more comprehensive surveys 
of the existing literature (e.g., f28l.'16| ). 

The protocols mentioned above assume a dealer who distributes keys to the 
participants before the protocol begins. The dealer must be minimally trusted 
not to reveal the secret key and therefore represents a single point of failure 
for the entire system. Thus, it is often desirable to distribute the key-generation 
phase among the participants. This was first accomplished for discrete-logarithm- 
based cryptosystems in 132181 (building on @3), and for RSA-based cryptosys- 
tems in |3 (for passive adversaries) and |27| (for active adversaries). 

There is still a need to design threshold schemes for many specific cryptosys- 
tems (most previous research on threshold cryptography was restricted to RSA- 
and discrete-logarithm-based schemes). First, note that for threshold cryptogra- 
phy to become truly practical, it remains important to improve the efficiency and 
conceptual simplicity of existing solutions £1 Furthermore, as pointed out many 
times previously 129121114137113) . threshold homomorphic encryption schemes 
are useful for achieving such goals as electronic voting and efficient multi-party 
computation. Threshold schemes have been given previously j43l2IH4j for the 
El Gamal (which is homomorphic under group multiplication) and Paillier ^2j 
(which is homomorphic under addition) cryptosystems. Yet, for some applica- 
tions, homomorphism over, e.g., Z 2 is required or sufficient BHKSKYI13I and 
hence other homomorphic schemes may not work or may be “overkill” for the 
problem at hand. Clearly, additional approaches yielding threshold homomor- 
phic encryption are needed (and this was left as an explicit open question in 
PT) : see also [13). 


1 This is the motivation for the study of threshold cryptography since, in a theoretical 
sense, “solutions” already exist using generic multi-party computation [2 . 
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1.1 Our Contributions 

Threshold Homomorphic Encryption. We show how to achieve threshold 
decryption for the Goldwasser-Micali (GM) encryption scheme |d4l | . whose secu- 
rity is based on the hardness of deciding quadratic residuosity. The GM encryp- 
tion scheme is homomorphic over Z 2 . As mentioned above, (semantically-secure) 
threshold homomorphic encryption schemes have many important applications; 
for example, efficient multi-party computation can be based on any (efficient) 
scheme of this type [SEU- Threshold GM encryption can also be used for dis- 
tributed tallying in electronic voting [Ha- 

Concurrent with the present work, a variant threshold GM-like cryptosystem 
has been constructed CHI using an alternate approach. However, this scheme 
(which builds on [ ETH ) requires the DDH assumption in Z* N , whereas the security 
of our construction relies only on the quadratic residuosity assumption. Indeed, 
eliminating this assumption is left as an open question in m,- We believe our 
solution also offers a more efficient and conceptually simpler method. Finally, 
our scheme has the added advantage of allowing for efficient distributed key 
generation when a trusted dealer is not assumed; this is not possible in CHI 
because they require iV to be a product of safe primes 0 

Threshold Cryptosystems Based on Factoring. We are not aware of any 
previous constructions of threshold cryptosystems whose security can be reduced 
to the assumption that factoring is hard. Here, we propose a novel and efficient 
distributed version of the Rabin-Williams signature scheme |3QI Section 11.3.4] 
(see also @ 1 ]), variants of which have been standardized. Security of this scheme 
has recently been shown m to be equivalent to the hardness of factoring in the 
random oracle model (see also earlier work of 0). 

Efficiency Improvements. The protocols we present are all efficient and prac- 
tical threshold schemes. When a trusted dealer cannot be assumed (and key gen- 
eration must therefore be done in a distributed fashion), our threshold schemes 
are more efficient than previous solutions not requiring a trusted dealer |1 . 

The threshold schemes presented here may be easily executed in a modular man- 
ner following a “streamlined” version of the distributed key-generation protocols 
of [5F27] : all information required by the present schemes is in place upon com- 
pletion of these key-generation protocols, and we do not require that iV be a 
product of safe primes. A “streamlined” version of these protocols may be used 
because we do not require computation of an inverse over a shared (secret) mod- 
ulus (and therefore are done once N has been generated). We are therefore able 
to avoid altogether the step whose efficiency is improved by [E. ■ 

Finally, we believe the methods outlined in this paper are interesting in their 
own right; the sharing of the factors of N alone, without the need to additionally 
share a “decryption exponent”, is a new paradigm for threshold cryptography 
over composite moduli and may prove useful in the design of future schemes. It 

2 The recent work of Q shows how N of this form can be generated efficiently in a 
distributed fashion; even so, it remains more efficient to generate N without this 
added requirement. 
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is specifically useful whenever the function to be computed can be expressed as 
a combination of the factors and where the computation of its partial results is 
enabled by shares of the factors. 

2 Model and Definitions 

2.1 The Model 

Participants. The participants are t servers {Pi, . . . , Pp } and a trusted dealer 
Z30 The dealer generates a public key N for the underlying cryptosystem and 
distributes shares to each of the participants. After the dealing phase, the dealer 
does not take part in executions of the protocol. Following mi we assume the 
participants are connected by a complete network of private channels. In addi- 
tion, all players have access to an authenticated broadcast channel so that the 
true sender of a message can always be correctly determined. These assump- 
tions allow us to focus on high-level descriptions of the protocols; however, they 
may be instantiated using standard cryptographic techniques (in the proactive 
setting, care needs to be taken; see HIESI 1. 

The Adversary. Our fc-out-of-£ schemes assume a non-adaptive adversary who 
may corrupt up to k — 1 participants in advance of protocol execution. The ad- 
versary has access to all information available to the corrupted players, including 
their secret keys, messages they receive, and messages broadcast to all players. 
One may consider two types of adversaries: passive adversaries who follow the 
protocol faithfully yet monitor all information available to corrupted partici- 
pants, and active adversaries who may cause participants to deviate arbitrarily 
from the protocol. We consider both types of adversaries in what follows. In the 
case of threshold signature schemes, the adversary may submit signing requests 
to the system at any time; in the case of threshold decryption, we consider both 
chosen plaintext and chosen ciphertext attacks. 

2.2 Security 

Formal definitions of security for threshold cryptosystems have appeared else- 
where m We describe, informally, our requirements. First, we want the security 
of the threshold scheme to be equivalent to the security of the original scheme 
even when an adversary has corrupted k — 1 servers and obtained all their local 
information. To prove that this requirement is met, we reduce the security of the 
threshold scheme to that of the original scheme by showing how an adversary 
attacking the original scheme can simulate the view of (up to) k — 1 servers in 
the threshold scheme. Following m , we call such threshold protocols simulat- 
able. An additional requirement we will consider is robustness: for any active 
adversary who causes at most k—1 (k < H./2) participants to deviate arbitrarily 
from the protocol, the correct result can always be computed by the remaining 
(uncorrupted) participants. 

3 We stress that this trusted dealer is not essential to our schemes since a distributed 
algorithm (adapting |f>l27l ) may be run when a dealer is not available. 
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3 A Threshold Homomorphic Encryption Scheme 

We begin by describing how to achieve threshold decryption for the well-known 
homomorphic encryption scheme of Goldwasser and Micali pTTj (henceforth, 
GM). The GM encryption scheme is as follows: the public key is a compos- 
ite N = pq, where p and q are prime and p = q = 3 mod 4. The private key 
consists of the factorization of N. To encrypt bit b £ {0, 1}, choose a random 
element r £ Zjv and send C = (— l) fc r 2 mod N. Decryption of ciphertext C 
proceeds by determining whether C is a quadratic residue or not. To do this, 
first calculate the Jacobi symbol J = (^). If .7^1, the ciphertext is ill-formed 
(i.e., the encryption algorithm was not run honestly, or else the message was 
corrupted in transmission); therefore, simply output J_. If J = 1, we may decide 
whether C is a quadratic residue by computing b' = C'b'V-p-g+i)/ 4 mo d _/V; note 
that b' = ±1 and furthermore C is a quadratic residue iff b' = 1. The original 
plaintext can be recovered as b = (1 — b') /2. This scheme is semantically secure 
under the quadratic residuosity assumption PH- 


3.1 An £-out-of-€ Protocol 

For simplicity and clarity of exposition, we describe in this section a protocol for 
“basic” threshold GM decryption (cf. Figure Q which assumes a trusted dealer 
and is an Gout-of-£ solution. Thus, all £ participants are needed in order to 
decrypt a ciphertext; on the other hand, it remains infeasible for any adversary 
who corrupts £ — 1 or fewer participants to decrypt a given ciphertext. In the 
following section, we discuss extensions and modifications which allow for the 


Dealing Phase 

Input: Composite N and primes p, q (|p| = |<j| = n) such that N = pq 
with p,q = 3 mod 4 

1. Choose pi, qi, ■ ■ ■ ,pt, qt £r (0, 2 2n ) such that Pi = q% = 0 mod 4, for all i 

2. Set po = p - J2i=i Pi and lo = q ~ Eti H 

3. Send (p, , qi) to player i 

4. Broadcast ( N,p 0 ,q 0 ) 


Decryption Phase 

Input: Ciphertext C 

1. All players compute J = (^) (this computation is done publicly) 

2. If J 7^ 1, all players output J_ and stop 

3. Otherwise (J = 1), player i broadcasts bi = C^~ Pi ~ qi ' > ^ 4 mod N 

4. All players publicly compute bo = c4 JV ~ I>0 ~ 90+1 )/ 4 mod N 

5. The decrypted bit 6 is computed as b = (l — TI f i=0 b t mod N) /2 


Fig. 1. i-out-of-i' decryption for the GM cryptosystem 
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more general fc-out-of-t? threshold, provide robustness, and enable proactivation 
of the protocol. Additionally, we discuss how to remove the trusted dealer and 
perform the initial key generation in a distributed manner. 

Key Distribution. The dealer generates primes p,q = 3 mod 4 (where \p\ = 
\q\ = n) and sets N = pq. The public key is N, and the private key is computed 
as d = (N — p — q + l)/4; note that d is always an integer. For all i, the dealer 
chooses integers p % , qi (0, 2 2n ) such that Pi = qt = 0 mod 4. Finally, the dealer 
sets po = p — J2i=iPi an d Qo = Q — Qi- The dealer sends (p», qi) to player 
i and broadcasts (N,po, qo)- We note that it would suffice for the dealer to send 
(Pi + Qi)/ 4 to each party - and this is likely what would be done in practice - 
but we prefer the present description for pedagogical reasons. 

Decryption. Decryption of a ciphertext C proceeds as follows: first, the Jacobi 
symbol J = (^) is computed; this can be computed in polynomial time even 
without knowledge of the factorization of N. If J ^ 1, all players simply output 
T. Otherwise, player i outputs bi = C^~ Pi ~ 9i ^ 4 mod N (note that, by design, 
the exponent is an integer and hence bi can be efficiently computed). Players 
publicly compute bo = cK^-Pa-fo+i)/ 4 moc i jy (again, by design, the exponent is 
an integer). Deciding whether C is a quadratic residue may be done by computing 
b' = nf =0 bi mod N. The decrypted bit is simply b = l d 2 b . 

Theorem 1. The protocol of Figure Q is simulatable for any adversary who 
passively eavesdrops on at most l—l parties. This implies the semantic security of 
the encryption scheme for such an adversary, assuming the hardness of deciding 
quadratic residuosity. 

The proof is similar to the more involved proof of security for the Rabin-Williams 
signature scheme given below (cf. Theorem , and is therefore omitted. 


3.2 Extensions 

Reducing the Threshold. It is a severe limitation to require £ active servers in 
order to decrypt. More preferable is a /c-out-of-£ solution in which only k servers 
are required for decryption. A number of techniques exist for accomplishing this 
using the above protocol as a starting point; we sketch two such solutions here 
(but see 0 for another approach). 

One approach is to adapt the suggestions of Rabin @3 to our setting. First, 
the dealer fixes a prime P > 2 2n which is broadcast to all participants. Then, 
for each pi (and also qf), the dealer chooses a random (k — l)-degree polynomial 
/,(•) over the field Z p such that /,( 0) = pi. To player j , the dealer sends /, (j ) 
for 1 < i < l. This achieves a fc-out-of-t secret sharing of the {pi} (and also the 
{qi}). Decryption proceeds as before, with each player i broadcasting its share b t . 
In addition, players prove correctness of their shares using one of the robustness 
techniques described below. If player i cannot prove correctness of his share (or, 
more generally, if player i fails to participate), the remaining players can publicly 
reconstruct ( Pi,q% ) using the shares they have been given. The correct share b t 
may then be computed publicly and included in the calculation of b. We note 
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that, in case a trusted dealer is not available, each player may itself deal shares 
°f ( Pi,qt ) to the other players. If robustness is desired for this step, verifiable 
secret sharing (VSS) may be used. Details appear in E3- 

A problem with this approach is that it may unfairly penalize servers which 
are temporarily off-line or otherwise unable to participate in an execution of the 
protocol. If this happens, this player’s share is publicly reconstructed and hence 
available to an adversary eavesdropping on the protocol. Note that it may be 
much easier for an adversary to disconnect or prevent communication from a 
player than to corrupt a player (even passively). By “disconnecting” users one- 
by-one - possibly in parallel - an adversary may be able to obtain the secret key 
of the system 0 

An alternative is to use ideas motivated by the protocols of Frankel, et al-BBI- 
Let L = £\. Instead of the Aout-of-f additive sharing illustrated in Figure 1, the 
dealer now performs k- out-of-£ polynomial sharing as follows: The dealer chooses 
s* Gr (0, 2 2 ”) subject to s* = 0 mod 4, and additionally chooses a (fc — 1)- 
degree polynomial / over the integers - with coefficients chosen uniformly from 
{0,4 L, . . . ,L 3 2 3n k} - such that /( 0) = L 2 s*. The dealer distributes s* = f f(i) 
to player i. Finally, the dealer broadcasts the value p + q — L 2 s*. To decrypt, 
the players first choose a random subset A consisting of k players. Each player 
in A computes the appropriate Lagrange interpolation coefficient Zi t A and sets 
his (temporary) share to §i = Zi,A • s*. Note that, due to the careful choice of 
the polynomial /, the {.s,;} may be computed over the integers and furthermore 
Sj = 0 mod 4 for all i. The thus constitute a fc-out-of-fc additive sharing 

of L 2 s*, and may be used to decrypt as in Figure 1. Techniques to achieve 
robustness for the above approach are given in |2E| ■ 

Theorem 2. The protocol of Figure 0 modified using either of the approaches 
described above gives a k-out-of-l protocol which is simulatable for any adversary 
who passively eavesdrops on at most k — 1 parties. 

(Informal Idea of the) Proof. The approach of Rabin EH may be viewed 
as a “generic” approach which converts any i-out-oi-i scheme to a fc-out-of-t' 
scheme. The approach of Frankel, et al. 1261 must be more carefully modified for 
the cryptosystem at hand; for the modification sketched above, however, a proof 
follows easily using their techniques. ■ 

Robustness. We may distinguish two methods for adding robustness to the 
above protocol: methods which work for arbitrary A, and methods which work 
only when A is a product of strong primed. Methods specialized for the latter 
case can be more efficient; on the other hand, when distributed key generation 
is required, methods which work for arbitrary A may be preferred because dis- 
tributed generation of A' a product of safe primes Q is less efficient. 

Gennaro, et al. HP give two methods for verifying correctness of the partial 
outputs bi when A is a product of strong primes. One method, which is non- 
interactive, requires the dealer to distribute verification information to all players 

4 This was pointed out to us by an anonymous referee. 

5 That is, N = pq with p — 2p' + 1 and q = 2q' + 1, where p, q,p ' , q are all prime. 
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during the dealing phase; namely, Vij is sent to player i to enable his verification 
of player j. When executing the protocol, player i outputs 6, and also bij for all 
j; player j verifies the correctness of bi using Vj,i and bij. This requires 0(£ 2 ) 
memory for each player, and also increases the communication of the protocol 
(per player) to 0(£ 2 ). 

A second approach of m requires the dealer to choose a random element (of 
high order) g G Z* N and broadcast g along with witnesses Wi = ^(-p<- 9‘)/ 4 mo d 
N, for all i. After player i broadcasts bi, he engages in an (interactive) zero- 
knowledge proof with all other players in which he proves that log g Wi = log c bi . 
Unfortunately, this approach seems to require interaction even in the random 
oracle model. More recently, Shoup (based on earlier work of HP) describes a 
non-interactive, zero-knowledge proof (in the random oracle model) for equality 
of discrete logarithms. Here, players work in the subgroup of quadratic residues 
Qn C Z* n \ the dealer chooses g £ Qn and player i now proves that log fl = 
log £72 b 2 (squaring is necessary to ensure that values are in Qn)- 

The above approaches suffice for N a product of strong primes. For general N, 
however, we must use other techniques to achieve robustness^ One possibility 
is to use the cryptographic program-checking method of 121 , which requires 
interaction between each pair of parties (this interaction can be reduced to only 
two rounds using a random oracle). Another approach extends the witness-based 
approach above. Using a random oracle, players may, as above, give an efficient, 
non-interactive, zero-knowledge proof El that log g Wi = log c bi. A difficulty 
here is that soundness is only guaranteed if g is of high order; however, as shown 
in £3, a set (of super-logarithmic size) of random elements of Z* N generates a 
large-order subgroup of Z* N with all but negligible probability. Soundness can 
thus be guaranteed by fixing such a set as part of the dealing phase and having 
players give a non-interactive proof with respect to each element in this set. 
Fouque and Stern 22] suggest another method for achieving robustness; they 
require N of a special form but show how such N can be generated efficiently in 
a distributed manner. 

The above approaches to proving correctness of exponentiation modulo N 
allow proofs of correctness for the partial shares bi broadcast by each player in 
the protocol. Theorems 1 and 2, together with the results cited above, thus yield 
the following theorem: 

Theorem 3. The protocol of Figure 0 augmented with any of the robustness 
techniques described above ( appropriate for the modulus N ) and any of the ap- 
proaches for achieving a k-out-of-£ (k < t/2) threshold (as described in Theorem 
2) results in a robust protocol which is simulatable for any adversary who actively 
controls at most k — 1 parties. 

Removing the Trusted Dealer. The efficiency improvement of the current 
protocol is most evident when a trusted dealer is not assumed, and the public 
modulus must be generated in a distributed fashion. In this case, our scheme has 

6 Although we still refer to a dealer, the techniques described here can be implemented 
easily following the (robust) distributed key-generation protocol of E3- 
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two advantages: (1) moduli of a special form (i.e., N a product of strong primes) 
are not required, in contrast with some recent solutions (e.g., pHi| h (Even though 
a protocol has recently been given [T] for efficiently generating N of this form 
in a distributed fashion, this protocol remains less efficient than protocols for 
more general N [5ET71 .) Furthermore, (2) an expensive step of the distributed 
key-generation protocol can be skipped entirely. Specifically, computation of an 
inverstfl over i p(N) (recall that tp(N) must remain hidden from the players) is 
not required in our scheme. 

The protocol of Figure Q] may be combined modularly with the distributed 
key-generation protocols of P2Z1- Following execution of these key-generation 
protocols, all the players already have additive shares ( ViiQi ) of the factors of 
N. A small complication is that the protocol requires all players to have p, = 
qi = 0 mod 4. To deal with this, simply have player i choose Pi = qi = 0 mod 4. 
Additionally, the “public remainder” may be set to (po,qo) = (3,3). Decryption 
is then done as before. A similar approach was used in, e.g., jS] where they 
require p = q = 3 mod 4. 

Proactive Security. Proactive security may be added to our protocols using 
known techniques. For example, if the approach of Rabin m is used to achieve k- 
out-of '-l threshold, the generic proactivation techniques given there will work here 
as well. Similarly, if the approach of Frankel, et al. m is used, the proactivation 
techniques given there will also work for the present protocol. Due to space 
limitations, we refrain from a detailed description of these techniques. 

Chosen- Ciphertext Security. A generic method for making threshold cryp- 
tosystems secure against chosen-ciphertext attack was recently described EDI, 
adapting the method of Naor and Yung ^0] f° r the random oracle model. What 
is required are two schemes and an honest- verifier ZK proof of knowledge that 
two encryptions are of the same plaintext. Such a proof system for the GM 
cryptosystem is presented in Appendix [X] Although the protocol given there 
is interactive, it can be made non-interactive (and reasonably efficient) in the 
random-oracle model. 

4 A Threshold Signature Scheme Based on Factoring 

Distributing the prime factors of the modulus among the participants offers a 
new paradigm for the construction of threshold systems over composite moduli. 
As a further example of the applicability of our technique, we describe a method 
for distributing the Rabin-Williams signature scheme ^3] , variants of which have 
been standardized as ISO 9796-2 and PKCS#1 vl.5. This scheme is particularly 
interesting since it offers the first threshold signature scheme whose security can 
be based on the hardness of factoring (in the random oracle model) f!2j . 


This is precisely the step whose efficiency is improved by Here, we avoid this 
step altogether! 
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4.1 The (Modified) Rabin Signature Scheme 

The modified Rabin signature scheme El Section 11.3.4] is defined as follows: 
a public key is generated by choosing two primes p,q of length n such that 
p = 3 mod 8 and q = 7 mod 8. The public key is set to N = pq (N of this form 
are called Williams integers). The private key is d = (N — p — q + 5)/8. 

Messages m to be signed are assumed to be appropriately encoded and the 
resulting underlying message space is M = (to : m = 6 mod 16} (see [T2] ). First, 
the Jacobi symbol J = (^) is computed. If J = 1, set m = m; if J = —1, set 
rh = m/2 (note that there is only negligible probability that J ^ 1,-1). The 
signature is computed as s = m d mod N. 

To verify signature s on message to (where to = 6 mod 16), first compute 
to = s 2 mod N. Then, verify the following: 

— If to = 6 mod 8, verify whether to = to 

— If to = 3 mod 8, verify whether to = 2 to 

— If to = 7 mod 8, verify whether m = N — rh 

— If to = 2 mod 8, verify whether to = 2 (N — m ) 

We refer the reader to El Section 11.3.4] for a proof of correctness and further 
discussion. 


4.2 An £-out-of-f! Protocol 

As above, we present the £-out-of-^ solution here for simplicity (cf. Figure |5J): 
extensions as discussed in Section^] are applicable here as well. 


Dealing Phase 

Input: Composite N and primes p, q (|p| = |g| = n) such that N = pq 
with p = 3 mod 8 and q = 7 mod 8 

1. Choose pi, qi , . . . ,pe , qi €r (0, 2 2 ") such that p% = q% = 0 mod 8, for all i 

2. Set p 0 =p- J2t=i Pi and q 0 = q- Y/\=i qi 

3. Send ( Pi,qi ) to player i 

4. Broadcast (N,po,qo) 

Signature Generation Phase 

Input: Message m = 6 mod 16 (appropriately encoded) 

1. Player i computes J = ) (this computation is done publicly) 

2. If J = 1, set rh = m; else set in = m/2 

3. Player i broadcasts Si = fh^~ Pi ~ qi ' ) l e ‘ mod N 

4. All players publicly compute so = fh/ N ~ PO ~ qo+5 ' > ^ mod N 

5. The signature s is computed as s = Ilf =0 Si mod N 


Fig. 2. i-ovX-oi-t signing for the Rabin signature scheme 
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Key Distribution. The dealer generates primes p,q (where \p\ = \q\ = n, 
p = 3 mod 8, and q = 7 mod 8) and sets N = pq. The public key of the protocol 
is N, and the private key (see Sect ion HU is d = (N—p—q+5) /8. For i = 1, . . . ,£, 
the dealer then chooses p[, q[ Gr (0, 2 2 ") such that Pi = q% = 0 mod 8. The dealer 
sets po = p — Yli= i Pi an d Qo = Q ~ Ya= i Pi- Finally, the dealer sends (pi, qj) to 
player i and broadcasts (po,qo)- 

Signature Generation. We assume the message m G M. to be signed is 
already encoded in some appropriate agreed-upon manner (i.e., as discussed 
above). First, the Jacobi symbol J = (y) is computed publicly (note that the 
Jacobi symbol can be computed in polynomial time even without knowledge of 
the factorization of N). If J = 1, define m = m; if J = —1, define m = m/2; 
this step may be done publicly as well. 

The desired signature is s = fh d = fh ( - N ~ p ~ q+5 ^ s mod N. Player i broadcasts 
the value s* = m ( -~ Pi ~ qi ' ) / 8 mod N (note that, by design, the exponent is an 
integer and hence Sj can be efficiently computed). Players publicly compute 
so = fn < ' N ~ Po ~ qo+5 ^ s mod N (again, by design, the exponent is an integer). 
Finally, the signature is computed as s = nf =0 Si mod N. Verification of the 
signature is exactly as described in Section o 

Theorem 4. The protocol of Figure HI is simulatable for any adversary who 
passively eavesdrops on at most l — 1 parties. This implies that the signature 
scheme is existentially unforgeable under chosen message attacks, assuming the 
hardness of factoring (in the random oracle model). 

Proof. A description of a simulator for the dealing phase and the signature 
generation phase appears in Figure 0 We assume (without loss of generality) 


Simulation of Dealing Phase 

Input: Composite N where |JV| = 2n 

1. Choose pi, qi, . . . ,pi,qe Gr (0, 2 2n ) such that = q t = 0 mod 8 

2. Choose random p*,q* such that \p* \ = \q* \ = n, p* = 3 mod 8, and q* = 
7 mod 8 

3. Set p 0 =p* - Yh=i Pi and qo = q* ~ Eti 

4. Send (p, , q t ) to player i, for 1 < i < l - 1 

5. Broadcast (po,qo ) 

Simulation of Player £ in Signature Generation Phase 

Input: Message m = 6 mod 16 (appropriately encoded); signature s 

1. Compute J = (^) 

2. If J = 1, set rh = m; else set in = m/2 

3. Compute Si = rhf~ Pi ~ qi mod N, for 1 < i < l — 1 

4. Compute s 0 = m (JV-P0-90+5)/8 mod N 

5. Broadcast si = s/ (nf^/s,) mod N 


Fig. 3. Simulator for f-out-of-f threshold Rabin signature scheme 
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that the adversary eavesdrops on players 1, . . . ,t— 1. Simulatability of the dealing 
phase is evident from the following: 

- The {Pi,qi}i<i<e-i have the same distribution as in a real execution of the 
protocol. 

— The distribution on (po,qo), conditioned on the values of {Vi,Qi}i<i<l-i 
seen by the adversary, is statistically indistinguishable from the distribu- 
tion on (po,qo) in a real execution of the protocol. This is because, for any 
p,p* < 2 n+1 , the distributions {p - Pi} Pl e R (o, 2 ^) and {p* - Pi} Pl e R (o, 2 ^) 
are statistically indistinguishable. 

Simulatability of the signature generation phase (in particular, the value si) 
follows easily from the simulatability of the dealing phase. ■ 

Efficient extensions to achieve optimal threshold, robustness, proactivation, 
and distributed key generation are all possible as outlined in Section EH Also, 
the above method extends to give threshold decryption of the Rabin encryption 
scheme |TT| , whose semantic security may be based on the hardness of factoring. 
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A Proof of Equality for GM Ciphertexts 


Input: Blum integers Ni,N 2 and X \ , X 2 where: 

{Xi = mod Ni,X 2 = (—l) b x 2 mod N 2 } with Xj € Z^,. and b € (0, 1}. 

Repeat k times: 

1. The prover chooses a random bit c and “twin encrypts” it; i.e., 

{Vi = (— l) c vf mod Ni,Vi = (— 1 ^cv 2 mod N 2 } for random Vj E .. 

The prover sends Vl,V 2 . 

2. The verifier chooses a challenge bit d and sends it. 

3. The prover responds by sending: 

{mi = vixf mod Ni,m 2 = v 2 x 2 mod JV2} 

4. The verifier checks that there exists a bit a such that both: 

m\ = (—1)“ • Vi ■ Xf mod Ni and m 2 = (—1)“ • V2 • mod N 2 
The verifier accepts only if the checks succeed in all iterations. 


Fig. 4. Proof of knowledge of “twin” GM-encryption 

The above proof system is complete and sound; furthermore, it is easy to 
show that it is an honest-verifier zero-knowledge proof of knowledge (in fact, it 
remains honest- verifier zero- knowledge when the k iterations are run in parallel) . 
To turn this to a non-interactive proof of knowledge in the random oracle model, 
we can use the standard Fiat-Shamir technique. 
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Abstract. A commitment multiplication proof, CMP for short, allows a 
player who is committed to secrets s, s' and s" = s ■ s', to prove, without 
revealing s, s' or s " , that indeed s" = ss' . CMP is an important building 
block for secure general multi-party computation as well as threshold 
cryptography. 

In the standard cryptographic model, a CMP is typically done interac- 
tively using zero-knowledge protocols. In the random oracle model it can 
be done non-interactively by removing interaction using the Fiat-Shamir 
heuristic. An alternative non-interactive solution in the distributed set- 
ting, where at most a certain fraction of the verifiers are malicious, was 
presented in for Pedersen’s discrete log based commitment scheme. 
This CMP essentially consists of a few invocations of Pedersen’s verifiable 
secret sharing scheme (VSS) and is secure in the standard model. 

In the first part of this paper, we improve that CMP by arguing that 
a building block used in its construction in fact already constitutes a 
CMP. This not only leads to a simplified exposition, but also saves on 
the required number of invocations of Pedersen’s VSS. Next we show 
how to construct non-interactive proofs of partial knowledge |j| in this 
distributed setting. This allows for instance to prove non-interactively 
the knowledge of i out of m given secrets, without revealing which ones. 
We also show how to construct efficient non-interactive zero-knowledge 
proofs for circuit satisfiability in the distributed setting. 

In the second part, we investigate generalizations to other homomorphic 
commitment schemes, and show that on the negative side, Pedersen’s 
VSS cannot be generalized to arbitrary (black-box) homomorphic com- 
mitment schemes, while on the positive side, commitment schemes based 
on g-one- way-group- homomorphism 0, which cover wide range of cur- 
rently used schemes, suffice. 


1 Introduction 

Commitment schemes play an important role as a primitive in cryptographic pro- 
tocols. Applications are found for instance in the construction of zero-knowledge 
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proofs and arguments, secure multi-party computation and threshold crypto- 
graphy. Using a commitment scheme, a player can commit to a secret value s 
by publishing a commitment C, in such a way that the commitment C reveals 
nothing about the secret s, i.e., the scheme is hiding. The player can later open 
C to reveal s in a way verifiable by everyone else, i.e., it is binding in the sense 
that the player can’t open C to any other value than s. 

Many protocols using commitments require a player at some point to prove 
certain relations among a set of committed values, without revealing these com- 
mitted values in the process. Assuming that addition or multiplication of secret 
values is well-defined, a player committed to s, s' and s" will typically be required 
to prove that s" = s + s' or that s" = ss'. If the commitment scheme is ho- 
momorphic, as is the case with many known commitment schemes, the additive 
relation is trivial to handle, even non-interactively. A commitment multiplica- 
tion proof (CMP), i.e., a secure protocol to handle the multiplicative relation, is 
generally less trivial to design. 

In the two-player setting, there exist efficient interactive zero-knowledge pro- 
tocols for all known homomorphic schemes \f\. These protocols can be adapted 
in a natural way to a distributed setting with n players and where up to t of 
them are malicious, for instance by simply letting each of the players be engaged 
in a separate rim of the two-player protocol with the prover. 

In pj it is shown how this approach can be substantially improved by tak- 
ing advantage of the fact that sufficiently many players are guaranteed to be 
honest. Namely, it is shown how to handle CMP in this distributed setting 
non-interactively in the case of Pedersen’s discrete logarithm based commit- 
ment scheme. This CMP essentially consists of a few Pedersen VSS’s and is 
non-interactive (from the prover’s point of view) in case everyone plays hon- 
estly, while the prover might have to answer accusations otherwise. We call this 
non-interactive with accusing. Moreover, it is totally non-interactive if t < n/3. 

In the first part of this paper, we improve that CMP by arguing that a 
building block used in its construction in fact already constitutes a CMP. This 
not only leads to a simplified exposition, but also saves on the required number 
of invocations of Pedersen’s YSS. Next we show a new technique to construct 
non-interactive proofs of partial knowledge in this distributed setting, thereby 
extending the results of jS| for the interactive two-player case. This allows for 
instance to prove non-interactively the knowledge of l out of m given secrets, 
without revealing which ones. As an application, it allows to make the proof of 
correctness of a ballot in the m voting scheme non-interactive without resorting 
to random oracles. We also show how to construct efficient non-interactive zero- 
knowledge proofs for circuit satisfiability in the distributed setting. 

In the second part, we investigate generalizations to other homomorphic 
commitment schemes, and show that on the negative side, Pedersen’s VSS can- 
not be generalized to arbitrary (black-box) homomorphic commitment schemes, 
while on the positive side, commitment schemes based on g-one- way-group- 
liomomorpliism 0, which cover wide range of currently used schemes, suffice. 
Finally, we show how this positive result leads to error-free non-interactive zero- 
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knowledge proofs of membership for non-trivial languages in this distributed 
setting. 

We proceed by repeating the concepts of commitment schemes and (verifi- 
able) secret sharing and by recalling the concrete schemes of Pedersen in the 
following Section 0 In Section |!|1 we define (zero- knowledge) distributed- verifier 
proofs and we show that Pedersen’s VSS can be seen as such a proof, and in 
Section 0] we present the CMP protocol and the proof protocols for partial knowl- 
edge and for general circuit satisfiability. Finally, in Section El we investigate to 
what extent the above protocols can be generalized to other homomorphic com- 
mitment schemes. 

2 Preliminaries 

2.1 Pedersen’s Commitment Scheme 

A commitment scheme of the kind we consider over a finite domain S is given 
by a function family 

corrip fc : S x 1Z p k -A C p k 

indexed by a public key pk, where lZ p k and C p k are finite sets. In a set-up phase, a 
concrete public key pk and thus function com p fc is fixed in a prescribed manner. 
By publishing a commitment C = com pfc (s,r) for a random r € P-pk, such a 
scheme allows a party, Alice, to commit herself to a secret s G S, such that the 
commitment C reveals nothing about the secret s ( hiding property) while on the 
other hand Alice can open C to s by publishing (s,r) but only to s ( binding 
property) . 

If S is a field K (or, more generally, a ring), then such a commitment scheme 
is called homomorphic, if the following holds: For any commitments C and C' 
and any number A £ K, one can compute commitments S and P such that being 
able to open C and C' to values s and s', respectively, allows to open S to the 
sum s + s' and P to the product As. 

A well known homomorphic commitment scheme is the Pedersen commitment 
scheme f5l‘2ll fij . given by 


com 9i /, : F, x F, G 
(s,r) i-A g s h r 

where q is a prime, G is a (multiplicative) group of order |G| = q in which com- 
puting discrete logarithms is (assumed to be) hard, e.g. a subgroup of F*, and g 
and h are randomly chosen generators of G. This scheme is unconditionally hid- 
ing and computationally binding, and it is homomorphic: If C = com 3l h(s, r) and 
C' = com 9i ft(s', r') then C C' = com 9i /,(s + s', r + r') and C * = com ffi ^(As, Ar). 


2.2 Pedersen’s Verifiable Secret Sharing Scheme 

In a secret sharing scheme a dealer distributes a secret s to n players Pi, ... , P n 
(for simplicity we set Pi = i) by privately sending to each player Pj a share Si 
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in such a way that, for a fixed threshold t, up to t players have no information 
about the secret s ( privacy ) while t + 1 players (or more) are able to reconstruct 
it ( correctness ). While secret sharing only guarantees security against curious 
players that try to gather information they are not supposed to obtain but 
otherwise behave honestly, its stronger version verifiable secret sharing m, vss 
for short, is secure in the following sense against up to t dishonest players and a 
possibly dishonest dealer that behave in an arbitrary manner. 

Privacy: In case of an honest dealer, the information the dishonest players gain 
during the distribution of the secret s gives no information about s. 
Correctness: As soon as the distribution is completed, there exists a fixed value 
s' such that every honest player will output s' as a result of the reconstruc- 
tion, and if the dealer is honest, then s' = s. 

The Pedersen VSS scheme m is based on Shamir’s secret sharing scheme 
m and Pedersen’s commitment scheme. 

Protocol Share 9i /j 

1. To share a secret s £ F ? , the dealer chooses a random polynomial /.,(A) = 
ao + a-i A + . . . + at A* £ F g [A] of degree at most t with constant coefficient 
ao = s, and he commits himself to this sharing polynomial f s ( A) by broad- 
casting commitments A 0 , . . . , A t of ao, . . . , a t , respectively. For every player 
Pi, the dealer computes the share 

s i = /«■(*) = s + oii + . . . a t i 1 £ F, 

and he opens the corresponding commitment 

Ci = A 0 ■ A\ ■ . . . ■ A f 

privately to Pi, using the homomorphic property of the commitment scheme. 

2. If Pi does not accept the opening, then F\ broadcasts an accusation against 
the dealer. 

3. To any accusation of a player Pi, the dealer responds by opening Ci publicly. 

4. If he fails to do this correctly then the sharing is rejected, otherwise it is 
accepted. 

After the execution of this protocol, assumed that it has been accepted, every 
player Pj is committed to his share Sj by the commitment C t , and he holds 
the corresponding information to open it. Hence, the reconstruction works as 
follows. 

Protocol Reconstruct^ 

Every player P ? ; publicly opens C* to s t . The shares Si that have been cor- 
rectly opened are then taken to reconstruct the secret by interpolation. 
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The pair (Share, Reconstruct) is a VSS if (and only if) t < n/2. Privacy holds 
unconditionally while correctness holds under the assumption that computing 
discrete logarithms is hard. 

The scheme can be made completely non-interactive from the dealer’s point 
of view in case t <n / 3 by replacing the steps 0 and [TJ by 

3.’ If the number of accusations is larger than t, then the sharing is rejected, 
otherwise it is accepted. 

Namely, in this case, if the sharing is accepted then there are at least f+1 honest 
players that have not accused the dealer in step □ and hence have a consistent 
sharing that allows to reconstruct the secret (see also the proof of Proposition 

Remark. Consider an accepted execution of the sharing protocol. By correctness, 
a secret value s' is fixed that can later be reconstructed. Since the information 
used by the players in the reconstruction originated with the dealer, we can 
conclude that the dealer knows this secret. In fact, it is straight forward to 
show, as we do later on, that the dealer not only knows s' but he also knows 
how to open the commitment A 0 used in the sharing protocol (to s'). 

3 Distributed Verifier Proofs 

3.1 Model and Definition 

We consider a prover P who wants to prove to a set of n verifiers V = (Vj , • • • ,V n }, 
that he knows some witness w without revealing it. We assume an adversary that 
can actively corrupt up to t of the n verifiers as well as the prover P, where we 
consider both cases t < n/2 and t < n/3. Some of the protocols require the 
adversary to be computationally bounded, and we assume him to be static, 
meaning that he has to corrupt the parties before the protocol execution. We 
assume that secure pairwise channels as well as broadcast channels are either 
provided by cryptographic means (in case of a bounded adversary) or given as 
primitives, though, for simplicity, also in the former case we will treat them as 
being perfectly secure. 

Consider now two sets W and 1 and an efficiently verifiable relation R C 
Wxl Given some public information I £ I, the prover wants to convince the 
verifiers that he knows a witness w £ W with (w. I) £ R. 

Definition 1. A distributed verifier proof (of knowledge) for relation R is a 
protocol among a prover P and n verifiers V\ , . . . , V n (all polynomially bounded), 
with a common input I, a private input w by P and a public output accept or 
reject, such that the following security properties hold, even if up to t of the n 
verifiers as well as the prover might be corrupted by the adversary. 

Correctness: If P is honest and (w, I) £ R, then the output will be accept. 
Soundness: There exists a knowledge extractor that can efficiently compute from 
the joint view of the honest players a witness w' satisfying ( w',I ) £ R, 
assumed that the output of the protocol is accept. 
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This soundness condition can come in three flavors: perfect, unconditional, or 
computational. Meaning that the condition holds with probability 1 , with over- 
whelming probability, or under some computational assumption, respectively. 

A distributed verifier proof is called non-interactive, if the structure of the 
protocol is as follows. The prover sends to every verifier one message, a personal 
partial proof, and then every verifier votes to either accept or reject the proof, 
depending on whether he accepts or rejects his partial proof, and the outcome of 
the protocol is accept if and only if not more than t verifiers vote for rejection. 

It is called non-interactive with accusing, if it is non-interactive except that 
in case there are some rejections, the prover must broadcast the corresponding 
partial proofs, and the outcome of the protocol is accept if and only if none of 
these published proofs is rejected. 

Finally, it is called zero-knowledge, if the adversary can simulate his view of 
the protocol. 

The above soundness condition highlights the power of the distributed verifier 
setting in two ways: 1) The prover is not given to the knowledge extractor as 
a rewindable black-box. Thus, no rewinding argument is needed to prove the 
soundness of a protocol. 2) In case of perfect soundness it asserts that there is no 
knowledge error. Hence, acceptance of the proof always implies the knowledge 
of a witness w'. Of course, one can relax the definition by allowing to rewind 
the prover so that it becomes seamless with the standard definition of proof of 
knowledge £[] with a single verifier. 

Such a distributed verifier proof can also be seen as a proof of member- 
ship where the prover proves the existence of a witness w with (w, I) £ R and 
therefore that I belongs to the language Lr = [I \3w : (w, I) £ R}. A proof 
of membership for language L in this model can be defined similarly, with the 
corresponding correctness and soundness conditions as follows. 

Correctness: If P is honest and x £ L, then the output will be accept. 

Soundness: If the output of the protocol is accept, then x £ L. 

Again, soundness can come in different flavours. It is, however, important to note 
that in a usual single verifier proof perfect soundness can be achieved only for 
trivial languages while this is not true for distributed verifier proofs. This will be 
addressed further in Section 15.31 Proofs of membership in a distributed setting 
have also been introduced in (5| under the name of network zero-knowledge proofs. 

3.2 Pedersen’s VSS as a Distributed Verifier Proof 

Let com g ,h : F ? x F g -> G, (s. r) H )■ g s h r be the Pedersen commitment scheme. 
For a commitment C = com g ,h(s,r) let Proof r; j t (C) denote an execution of 
Share ffi /j with secret s, except that in step 0 of the protocol, A 0 = C is taken 
as commitment of ao = s. Then, Proof g ,h(C) is a zero-knowledge proof that the 
dealer can open the commitment C. More formally, for relation 

R g h = {((s, r),C) | s,r£ V q ,C = com Si / l (s,r)} C (F 9 ) 2 x G 


we have 
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Proposition 1. Protocol Proof g j, is a perfectly sound zero-knowledge distrib- 
uted-verifier proof for relation R g ,h, non-interactive in case t < n/3 and non- 
interactive with accusing in case t < n/2. 

We stress that we have soundness and zero-knowledge independent of the 
quality of the commitment scheme com S) /j. In fact, this holds even in case the 
discrete logarithm log 9 h is known and hence the binding property does not hold 
at all. 

Proof of Proposition Q Since, to any possible accusation, the honest prover only 
broadcasts correct information, the proof will be accepted. It remains to show 
soundness and zero-knowledge. 

Soundness: Assume that the proof has been accepted, and let A be the set of 
honest players, respectively, in case of t < n/3, the set of honest players who 
have not accused the dealer. In any case, | A| > t + 1 (and we assume without 
loss of generality that A = + 1}) and every player Pi £ A can open his 

commitment Cj to, say, .s'. Let Ai, . . . , A t+ i be the reconstruction coefficients for 
the players in A. That is, ^i s i = s for correctly computed shares s t of s, 
which means that Ylltl ^iJ2k=o a ^ k = s = oo and hence X)*j^(Aji fe ) = <5fco 
(where 5ij = 1 if i = j and 0 otherwise). Because of the homomorphic property 
of the commitment scheme, the players of A can open the commitment C' = 
UZl Cf 4 to s' = ^i s i- However, as 




= II = A = C (l) 


c '=nT=n ik 


i = 1 *= 1 \ fc =0 


it follows that they can open C (to s'). 

Zero-Knowledge: Let A be the set of corrupted players. We assume without loss 
of generality that A = {1, We make use of the well known fact that 

from the secret s and the shares si , . . . , St of the players in A, all the random 
sharing coefficients aq , . . . , a t can be computed in a linear way. Hence, writing 
so = s = oo, for every k £ {0, . . . , t} there exist coefficients pko, • • • > dkt such 
that a k = Y?j = o hkjSj, which means that sy = Y.l=o a fi k = Sl=o Y?j = o dkjSji k 
and hence J2k=o l J ’kji k = $ij- 

Given the commitment C for s, the players in A can simulate their view of 
the protocol as follows. For every Pi £ A they choose .s, £ F ? at random and 
compute a (random) commitment Cj for ,Sj, and for k = 0, . . . ,t they compute 
^ = n‘=o Cj k3 , where Cq = C, such that A 0 = C and for every i £ A 


k=0 





( 2 ) 


Finally, it is not hard to see that A \ , . . . , A t are independently random commit- 
ments of independently random values. □ 
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4 Our Technical Contributions 

4.1 An Improved Commitment Multiplication Proof 

Consider again Pedersen’s commitment scheme com Sj / i (s, r) = g s h r , and let 
C' £ G be an arbitrary commitment. Then the commitment scheme 

com C ',fe(s*,r*) = (C') s *h r * = C' s ■ com Si?l (0,r*) 
with basis C' , h inherits the following properties. 

Lemma 1. 

1. Being able to open (vurt. com Si /J C' and C" to values s’ and s" , respectively, 
allows to open C" wrt. com c\h to a value s satisfying ss' = s ", and being 
able to open C" to 0 wrt. com gt h allows to open C" to 0 wrt. com c,h- 

2. The scheme com c\h is as hiding and binding as com 9t h, assumed that C' 
cannot be opened to 0 wrt. com Si ^. 

Proof. 1. Let s, s', s " , r’, r" satisfy C' = com g ,h(s', r'), C" = com Sj ^(s", r") and 
ss' = s". Then, for r* = r" — sr' we have com g ,h(s" — ss',r*) = C" ■ C'~ s 
and hence com c,h(s, r*) = C' s ■ corrig^O, r*) = C" . This also holds if s = 0 
and thus s" = 0, in which case r* = r" . 

2. First, for r* £ F 9 chosen at random, comf;/ ^(s*,r*) is clearly a random 
element of G, independent of s*. Furthermore, knowing s* s* and r* 
and r* such that comcr/ j / i (s*, r*) = com c,h(s*,f*), i.e. C' s ■ com gi /i(0,r*) = 
C’ s ■ com 9 j,(0, f*), allows to open the commitment C' to zero, namely C' = 
com 9 ,ft(a t(r*-f*)/(S* -«•)). □ 

This gives rise to the following CMP, which allows the prover to prove that he 
can open commitments C, C' and C" to values s, s' and s" = ss' , respectively. 
Note that the E] steps can be executed in parallel. 

Protocol Mult Proof Sj / l (C, C'\ C") 

1. The prover executes Proof g ,h(C). 

2. The prover executes Proof c,h(C") using the same sharing polynomial / S (V) 
as in the above step (but new independent commitments wrt. com c,h)- 

3. Every player verifies whether his shares from step 1. and 2. coincide and 
accuses the dealer if it does not hold. In case t < n/2 (but not t < n/3) the 
dealer responds by opening the two corresponding commitments in public. 

4. The prover executes Proofy^C"'). 

This protocol also appeared in Pj. However, the security proof given there did 
not cover the case where the prover can open C' to s' = 0, and therefore the 
protocol was extended to “also deal with the case s' = 0” by essentially adding 
another Pedersen VSS sharing. Our analysis shows that this is superfluous, and 
that the protocol as it stands is secure also in case s' = 0. Furthermore, we show 
that the case s = 0 is somewhat special. Namely, we show that if the prover can 
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open the commitment C to s = 0, then he can execute the protocol even without 
being able to open C' , as long as he can open C" to s" = 0. This of course also 
guarantees that s" = ss' (no matter what s' is), but, as we will see in the next 
section, it also opens the door for new constructions in this setting like proofs 
of partial knowledge. 

Theorem 1. The above protocol Mult Proof 9 j,(C, C'\ O') is a perfectly sound 
zero-knowledge distributed verifier proof, non-interactive in case t < n / 3 and 
non-interactive with accusing in case t < n/2, that the prover can open C, C' 
and C" as values s, s' and s" = ss' , or that he can open both C and C" as 0. 

Proof. Correctness: Follows from point 1. of Lemmas and the correctness of the 
protocol Proof 9t h- 

Soundness: According to Proposition QJ from the information received during 
Step 1., the honest players can compute s and r with C = com 9i h(s,r). Also, 
from the information received during Step 2., the honest players can compute 
the same s and some r* with C" = come'. /,.(«, r*) = C' s ■ com 9 j,(0, r*). Finally, 
from the information received during Step 3., the honest players can compute 
s" and r" with C" = com,j i (s ,, ; r"). It now follows that either s = 0 and hence 
C" = com 9i f, (0, r*), which means that the honest players can open C" to zero, 
or that C' = C" x ! s ■ com Si?l (0, r*)~ x / s = com g?/l (s",r") 1,/s • com S)fe (0,r*) _1/s = 
com gi h(s"/s, (r" — r*)/s ), which means that the honest players can open C' to 
s' = s"/s. 

Zero-Knowledge: The adversary can simulate his view of the protocol by simulat- 
ing independently the protocols Proot gh {C), Proof c',h(C") and Proof, ^(C"), 
as described in the proof of Proposition 0 except that he chooses the same shares 
for the simulation of Proof 9 ^(C) and of Proof c,h{C"). □ 

4.2 Proofs or Partial Knowledge 

In 0, an efficient solution was presented to construct proofs of partial knowl- 
edge in the two-players setting. Such a proof of partial knowledge allows for 
instance to prove the knowledge of (at least) l out of m given secrets without 
revealing which l secrets. We will now present corresponding non- interactive 
protocols in the distributed-verifier setting. While the proof protocols of rely 
on concepts like the dual access structure and the simulation of protocols, our 
distributed verifier proof protocols are based on the fact that the CMP proto- 
col Mult Proofg^C', C'\ C") can be executed by the prover even if he does not 
know s' (as long as s = s" = 0). 

Let first Co and C\ be two public Pedersen commitments and let the prover 
be able to open C w to say s w , where either w = 0 or w = 1 . 

Protocol OR-Proof Si / l (Co, Ci) 

The prover sets b w = 1 and b\- w = 0 as well as d w = s w and di- w = 0, and 
he commits to bo, b\, do and d,\ by B 0 , B\ , D 0 and D\, respectively. Then, 
he opens B = B 0 ■ Bi as bo + &i = 1 and executes Mult Proof g ,h(B 0 , Co; D 0 ) 
and Mult Proof ffi / l (B 1 , C\\ Df). 
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According to Theorem^ the prover can execute Mult P ro of 9; /, ( B i _ , C} _ v . :Di_ w ) 
even without being able to open C\- w as long as he can open B\_ w and D\_ w 
to zero. On the other hand, if he cannot open B w to zero, which must be 
the case for at least one of Bo and B\ as he can open B = B 0 • B[ to 1, 
Mult Proof g ,h(B w , C w ; D w ) proves that he can open C w . 

This can easily be generalized to Aout-of-m proofs, which, given m commit- 
ments Ci, . . . ,C m , allows to prove the knowledge of at least l hidden secrets, 
without giving away which ones. 


Protocol ( ) ^)-Proof S) ^(Ci, . . . , C m ) 

For i = 1 , . . . , m, the prover sets 6 , = 1 and di = Si if he can open Ci 
(to Si) and 6 , = d t = 0 otherwise, and he commits to bi and di by B t 
and Di, respectively. He proves that indeed bi £ {0, 1}, i.e. 6,(1 — 6,) = 0, 
by executing Mult Proof S) / l (Bj, E/Bp, O), where E = com gi /j(l,0) = g and 
O = com fl! i, (0, 0) = 1 are default commitments for 1 and zero, respectively, he 
opens B r . . ■■B m as l and executes Mult Proof s> /,(B i , C,; D for i = 1, . . . ,m. 

The following is a somewhat more efficient solution where no proof of something 
like bi £ {0, 1} is needed. Consider Shamir’s Aout-of m secret sharing scheme. As 
we have already used in the proof of Proposition^ for A C {1, ... , m} with \A\ > 
i, there exist reconstruction coefficients A a,u i £ A, such that J2ieA^A,ii k ) = 
5k o- Based on this fact, we have the following enhanced protocol that allows the 
prover to prove that he can open the commitments Cj with i £ A for a subset 
A C {].... , to} of size at least t. 

Protocol (^)-Proof g <h {C \, . . . , C m ) 

The prover chooses reconstruction coefficients A A,i, i £ A. For i = 1 , ,m, 
he puts bi = A a,, and d t = biSi if % £ A and bi = d t = 0 otherwise, 
and he generates commitments B\, , B rn and D\ ■ ... , D rn for b\, ... ,b m 
and di. ... , d rn , respectively. For k = 0, ...,£, he opens the commitment 
nr=i -B| as 6 fe 0 ; and he executes Mult Proof g ,h{Bi, Ci ; A) for i = I , rn. 

Soundness of the above protocol relies on the binding property of the Pedersen 
commitment scheme (hence it allows small error probability). 

It is not hard to see that this protocol can be generalized to any linear secret 
sharing scheme, not necessarily a threshold scheme. Hence, given an arbitrary 
linear secret sharing scheme over F 9 for m players with an access structure T, 
we have the following 

Theorem 2 . Under the DL-assumption, there exists a computationally sound 
zero-knowledge distributed-verifier proof, non-interactive in case t < n / 3 and 
non-interactive with accusing in case t < n/2, that the prover can open a subset 
Ci x , . . . , Ci e of the commitments C\,..., C m corresponding to a qualified set A = 

Oi, • • • ,u} g r. 
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4.3 General Circuit Evaluation Proofs 

Let C be a binary circuit consisting of NAND gates. 

Theorem 3. Under the DL- assumption, there exists a computationally sound 
zero-knowledge distributed-verifier proof, non-interactive in case t < n/ 3 and 
non-interactive with accusing in case t < n/2, that the proven knows a satisfying 
input to the circuit C. 

Proof Sketch: Let b = (6i, . . . ,b m ) be a satisfying input for the circuit C. To 
prove knowledge of b, the prover generates a commitment Bi for every input bit 
bi and proves that bi £ {0,1} by executing Mult Proof g y t (£fy E/B,: O). Induc- 
tively, for every NAND gate with input bits bi and b r to which he has already 
computed corresponding commitments Bi and B r , respectively, the prover com- 
putes a commitment B out for the output bit b out = bi NAND b r and proves 
its correctness by executing Mult Proof g ,h{Bi, B r ; E/B out ). Finally, he opens the 
commitment B of the result bit b = C(bi, . . . , b m ) as 1. □ 

Another way to achieve this result is by combining the techniques from |j]] based 
on proofs of partial knowledge with the protocols from the above section. 

Clearly, if the circuit C is an arithmetic circuit over the field F, ; , then there 
exists an even simpler proof protocol. 


5 Arbitrary Homomorphic Commitments 

In this section, we investigate to what extent the Pedersen’s VSS scheme and 
the above results can be generalized with regard to other homomorphic com- 
mitment schemes. Clearly, by the description in Section |S1 the Pedersen’s VSS 
scheme, consisting of the protocols Share and Reconstruct, can be executed with 
an arbitrary homomorphic commitment scheme replacing the Pedersen scheme. 
However, it is not so clear whether this results in a secure VSS scheme. And 
indeed, we will show that the security cannot be proven for an arbitrary (black- 
box) homomorphic commitment scheme. This does not necessarily imply that 
there exists a secure commitment scheme under which the Pedersen-like VSS 
is insecure; however, it means that in order to result in a secure Pedersen-like 
VSS, a homomorphic commitment scheme must inherit some additional proper- 
ties. On the other hand, to relax the impact of this negative result, we present 
sufficient conditions for a homomorphic commitment scheme that guarantee the 
security of the corresponding Pedersen-like VSS and the resulting distributed- 
verifier proofs. We then show that these conditions are satisfied by so called 
g-one- way-group- homomorphism based schemes |7|, which cover all currently 
known homomorphic commitment schemes with finite domain. Finally, we show 
how this positive result leads to error-free non-interactive zero-knowedge proofs 
of membership. 
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5.1 The Impossibility Result 

Recall that a commitment scheme over a field K is called homomorphic if, given 
two commitments C and C' and a field element A G K, one can compute com- 
mitments S and P such that being able to open C and C' to values s and s', 
respectively, allows to open S to s + s' and P to As. We will denote these map- 
pings ( C,C' ) S and (A, C) P by and “o”, respectively, i.e. we write 
S =a0* C and P = A o C. The following theorem states that the Pedersen VSS 
scheme described in Section 12.21 cannot be generalised to a homomorphic com- 
mitment scheme com, that is given as a black-box and where only the security 
requirements and the homomorphic property are guaranteed. The idea is that 
with respect to some unconditionally-hiding homomorphic commitment scheme, 
the dealer might be able to come up with commitments Aq = C, A \ , . . . , A t for 
the secret and the sharing coefficients, computed in some way such that he is 
not able to open (all of) them, but nevertheless he can open the correspond- 
ing commitments C\, , C n to a set s\, ... ,s n of inconsistent shares. This is 
for instance the case if the dealer can compute a commitment A\ such that 
he can open 2 o Ax, . . . , (n — 1) o Ai to 2, . . . , n — 1, respectively, such that it 
looks as if A\ “contains” 1, and no Ai to, let’s say, n + 1. Indeed, by choos- 
ing Ax this way and A 0 = C and A 2 , . ■■ ,A t as required by the Share protocol, 
the dealer could open the corresponding commitments C 2 , . . . , C n , computed as 
Ci = C * (ioAx) * ... * (i'oAf ), to a set of inconsistent shares (though he cannot 
open Ci). Since we do not require the dealer to be able to open Ax, and the 
homomorphic property does not require anything like A -1 o (Ao C) = C (as can 
be observed for existing schemes, see Section E2J, the existence of such a com- 
mitment Ax does not a priori contradict the security of the commitment scheme, 
if it is unconditionally hiding and hence a statement like “Ax contains 1” does 
not make sense. We will now show that also a posteriori, this does not contra- 
dict the security (or the homomorphic property) of the commitment scheme by 
presenting an oracle with respect to which there exists a secure homomorphic 
commitment scheme, however the corresponding Pedersen-like VSS is insecure. 

Theorem 4. Let K be a field of size 2 k , where k is a security parameter. There 
exists an oracle O relative to which there exists a secure homomorphic commit- 
ment scheme com © ■ K x K K such that the resulting Pedersen-like VSS, 
consisting of Share© and Reconstruct© , is insecure. 

The oracle O in mind has history tapes H, M. and A, which are all empty 
at the beginning, and one can make commit-, multiply-, add- and cheat- queries, 
to which O answers as follows: 

commit-query: input s,r G K, output C = com ©(s,r) G K 

If there exists C £ K such that (s,r; C) G H, then O returns C. Else, 
O chooses a random C E K, writes (s, r; C ) to the history tape P and 
returns C. 

multiply- query: input A ,C & K, output C' = multiply 0 (A, C) G K 

If there exists C' G K such that (A, C;C') G M, then O returns C' . Else, 
if there exists s,r G K such that (s, r; C) G H, then O computes C’ = 
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como(As, Ar), while otherwise it chooses C' £ K at random, and it writes 
(A, C; C') to the history tape M. and returns C' . 
add-query: input G, C' £ K, output C" = add o{G,C') £ K 

If there exists C" £ K such that (C, C: C") £ A, then O returns C " . Else, if 
there exist s, r, s', r' £ K such that (s, r; C), (s', r'; C) £ 'LL, then O computes 
C" = come^s + s'jr + r'), while otherwise it chooses C’ £ K at random, and 
it writes ( C , C"; C") to the history tape A and returns C" . 
cheat-query: input n£ N, output (A 2 \ . . . , A n ^;C, C@\ . . . , C^) £ K n ~ 1 xK n 
O chooses random A 2 \ . . . , A n ^ £ K and C, C^ 2 \ . . . , C 00 £ K. For i = 2 to 
n, he writes (i, C: C®) to the history tape M. For i = 2 to n — 1, he writes 
(i,rW; to the history tape 'LL, and he writes (n + l,A n ^; C 00) to the 
history tape 'LL. Finally, he returns A 2 \. . . , A n ) and C, C^ 2 \ . . . , C^ n \ 

This oracle gives indeed rise to a homomorphic commitment scheme como : 
KxK — > K . Namely, as indicated by the notation, for s,r £ K, the commitment 
como(s,r) is the answer of the oracle O to a commit-query with input s and 
r, and the multiply- and add-queries provide the homomorphic property. E.g. 
being able to open C to s, i.e. knowing r such that (s,r;C) £ 'LL, allows to 
open A o C = multiply e) (A, C), the answer C' to a multiply-query with input 
A and C, to the value As, since after the query (As, A r; C') £ 'LL and hence 
como(As, Ar) = C' . Furthermore, the cheat-query allows the dealer (together 
with a corrupted first player Pi) to misbehave as described in the beginning of 
this section to distribute an inconsistent sharing among the remaining players 
P^, . . . ,P n . It remains to show the security of com o- The commitment C of a 
secret s, generated with whatever query, is a random number in K, independent 
of anything else, and hence the scheme is hiding. Because of the same reason, 
C ^ C' for every pair (s, r, C), (s', r' , C) of entries of 'LL, except with small 
probability, and hence the scheme is binding. 

It is not hard to see from the above construction that with respect to this 
homomorphic commitment scheme como, Proposition dand similarly Theorem d 
to 01 do not hold. 

5.2 Generalization to q-OWGH-Based Commitments 

Inspecting for instance the proof of Proposition d which is essentially identical 
to a security proof of Pedersen’s YSS scheme, one immediately sees that we made 
extensive use of the fact that for Pedersen’s commitment scheme the operation 
is a group operation , and that “o” , given by exponentiation, fulfils 

(i C .C') X = C X - C ,X , C x+x ’ = C x ■ C x ' and C xx ' = (i C X ) X ' 

which may not hold for other homomorphic schemes. In fact, with respect to the 
schemes listed in the appendix, this holds only for Pedersen’s. For instance, if C 
is a commitment with respect to the QR-based commitment scheme com t (,s, r) = 
t s r 2 over F 2 = {0,1} (x denotes the residue class of x modulo q hereafter), then 
in general C l ■ C 1 = C ■ C = C 2 ^ 1 = C° = C l+l . On the other hand, 
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it is not hard to see that these were the sole conditions needed (besides the 
homomorphic property), not only for the proof of Proposition Q], but also for 
all results from the Sections Hence, the above properties give a sufficient 
condition for a homomorphic commitment scheme in order to generalize the 
security of Pedersen’s VSS scheme as well as our results to this commitment 
scheme. And, as a matter of fact, even some weaker condition suffices (which, 
by the way, are fulfilled by the above QR-based scheme, as will be shown): 

It should be feasible to open the commitments 

{C-C') x /(C X -C' X ) , C x+x ' /{C x -C x ') and G xx ' / (C X ) X ' (3) 

to zero for any commitments C , C' and numbers A, A', knowing only C, C' , 

A and A'. 

Indeed, consider for instance (0) in the proof of Proposition [0 Even though it 
might be that C' ^ G, it is guaranteed by these properties that the commitment 
C/C' can be opened to zero knowing only C and C', and hence being able to 
open C' (to s') also allows to open C = ( C/C')-C' (to s'). This kind of reasoning 
allows to generalize all the previous proofs, and hence we have 

Proposition 2. The security of Pedersen’s VSS scheme as well as Proposition Q 
and Theorem^ toehold for every homomorphic commitment scheme satisfying 
the above condition ©■ 

We will now show that all g-one- way-group- homomorphism based commit- 
ment schemes, which contain all so far known homomorphic schemes with finite 
domain, fulfil this condition ©• We start by recalling the concept of (?- one- way- 
group-homomorpliism. Let q be a prime number. Loosely speaking, a q-one- 
w ay- group-homomorphism, g-OWGH for short, is a homomorphism / : H — > G 
among two finite Abelian groups H and G, such that / is one-way, but, for a 
randomly chosen y G G, it is feasible to compute v G H with f(v) = y q . For 
formal definitions we refer to 0, where this concept was introduced. 

Such a g-OWGH induces in a generic way a computationally binding com- 
mitment scheme over the field ¥ q . Namely the scheme 

com S)/ : ¥ q x H ->■ G, (s, r) i->- g s f{r) 

where g is randomly chosen from im(/) C G and g s is defined as g q with c; G 
{0, . . . , q — 1} such that q = s. Note, it is not required that G has order q. 

If a g-OWGH / : H — > G is unconditionally binding JZ], meaning that there 
exists t G G such that t has order q modulo irri(f) and t' f(r) and t j f(s) are 
computationally indistinguishable for all i and j and for randomly (and indepen- 
dently) chosen r and s, then / also induces a computationally hiding commitment 
scheme over F g . Namely, 


com tJ : F 9 x H ^ G, (s,r)^t s f(r) 


for such a particular t G G. 
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For the security proof of these commitments, we refer to |7j. 

An important property of these commitment schemes is that they are ho- 
momorphic. Indeed, if C = com(s,r) = g s f(r) and C' = com(s',r) = g s f{r') 
and A G F 9 , we have, writing s = g, s’ = g 1 , Xs + s’ = g" and A = £ with 
g, g', g", l G {0, . . . , q — 1} as well as tg + g' = kq+ g" € Z, 

C X C' = ( 5 V(r)) V7(r ') = + r') 

= g kq+ *"f(er + r') = g Xs+s 'f(kv + £r + r') 

where v G H is computed such that f(v) = g q . 

Lemma 2. For any q-OWGH based commitment scheme, any commitments C 
and C' and numbers A, A' G ¥ q , the commitments 

{C-C') x /{C X -C' X ) , C x+x ' /(C x -C x ') and C xx ' / {C x f 

can be opened to zero knowing only C, C' , A and A'. 

Proof. Clearly, (C ■ C') x = {C x ■ C'_ X ) and thus (C ■ C') X /(C X ■ C ,x ) = 1 = 
com, j(0, 0). Furthermore, if A = I, A' = C and XX' = W with G 

{0, . . . , q — 1} and W = kq + (!' , we get 

C xx ' /{C x ) x ' = C l '~ u ' = C~ kq = f(—kv) = com ff)/ (0, -lev) 

where v € His computed such that f(v) = C q . And of course, the same argument 
can be applied to C x+y /C X C X ' . □ 

It now follows from Proposition El 

Theorem 5. The security of Pedersen’s VSS scheme as well as Proposition 0 
and Theorems 0 fo0 hold for every q-OWGH based commitment scheme. 

Note that Shamir’s secret sharing scheme does not work over F, if q < n. 
Hence, in this case, Pedersen’s VSS and the resulting proof protocols have to be 
based on a different linear secret sharing scheme. However, it is straight forward 
to verify that replacing Shamir’s secret sharing scheme in Pedersen’s VSS and 
the resulting proof protocols by an arbitrary linear secret sharing scheme [EEj 
does not affect any of the results. This also allows to generalize the results to 
arbitrary (not necessarily threshold) adversary structures fTTT| . 


5.3 On Proofs of Membership 

In this last section, we show that in the distributed-verifier setting there exist 
error-free non-interactive zero-knowledge proofs of membership for non-trivial 
languages, which is well known not to exist in the usual single-verifier setting. 

Recall the protocol Proof from Section 15.21 but now based on an arbitrary 
g-OWGH based commitment scheme com : F, ( x F -> G. It allows the dealer to 
prove that he can open a given commitment C to some value. Assume now that 
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he wants to prove that he can open C to a concrete given value s, e.g. s = 0. 
This can be done simply by executing the protocol Proof as given, except that 
the dealer uses the default sharing polynomial f s (X) = s (instead of a random 
one), such that every share coincides with s (and if this is not the case for some 
player then he accuses the dealer). We denote this modified protocol by Proof 7 . 
It can be shown similarly to the proof of Proposition 0 that this indeed proves 
that the dealer can open C to s, or, in terms of proofs of membership, that C is 
a commitment of s: 

Proposition 3. Protocol Proof 7 is a perfectly sound zero-knowledge distributed- 
verifier proof that C is in {com(s,r) | r G H} C G, non-interactive in case 
t < n / 3 and non-interactive with accusing in case t < n/2. 

Using unconditionally binding commitment schemes like the QR- or the DCR- 
based ones described in the appendix, this results in error-free non-interactive 
proofs for non-trivial subgroup membership problems: The former allows to prove 
that a given number is a quadratic residue modulo an RSA modulus n, and the 
latter that a given number is an n-th power modulo n 2 , simply by proving that 
the number is a commitment of s = 0. 

In fact, one can construct proves for arbitrary subgroup membership prob- 
lems (even if they do not result from homomorphic commitments), i.e., proves 
that allow to prove that a group element C G G belongs to a subgroup G' C G, 
as long as for every CgC 7 there exists a corresponding witness w in a group 
H such that the mapping ip : H — > G' , w C is a group homomorphism. 
Namely, by executing Proof using com = <p : H x 0 — > G' as “commitment”: The 
dealer chooses random witnesses ai , . . . , a t G H, publishes the corresponding 
subgroup elements A*, = pifik) G G' , k = 1 ,...,t, and sends the witness for 
Ci = C ■ A\ ■ . . . ■ A\ G G' privately to player Pj, i = 1, ... ,n. For instance, this 
way one can prove that a triple ( u , v, w) G G 3 is a Diffie-Hellman triple with 
respect to g, i.e. that ( u , w) G {( g a , v a ) \ a G F g } c GxG. Note, in this example, 
^ :F q ^ G \a^{g a ,v a ). 

If the order of the group H is not known, then Shamir’s secret sharing scheme 
can be replaced by a black box secret sharing scheme jSJ ■ 
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A Examples of qr-OWGH Based Commitments 

Based on the DL-Problem 

Let p be prime and G = (h) a subgroup of Z* with prime order q. Then the 
exponentiation function / : Z g _i -» G, x i-» h x is (a candidate for) a g-OWGH. 
Indeed, given y e G, v = 0 fulfils f(v') = 1 = y q . 

The resulting commitment scheme is the Pedersen commitment scheme we 
were considering in the first part. 
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Based on the RSA-Problem 

The RSA function / : Z* — > Z* , x i-t x q for a prime exponent q is (a candidate 
for) a g-OWGH. Given y G Z* , v = y fulfils f(v) = y q . 

The resulting commitment scheme is com g j(s,r) = g s r q . 

Based on Factoring and on the QR-Problem 

Squaring modulo an RSA modulus n, f : Z* — > Z* , x i->- x 2 is (a candidate for) 
an unconditionally binding 2-OWGH. Given y G Z* , v = y fulfils f(v') = y 2 and 
any quadratic non-residue t G Z* with Jacoby symbol +1 fulfils the requirements 
for the unconditionally binding property, assumed that the QR-problem is hard. 

The resulting computationally binding commitment scheme is com g j(s, r ) = 
g s r 2 for a random quadratic residue g and the resulting computationally hiding 
scheme is com tj(s,r) = t s r 2 for a quadratic non-residue t with Jacoby symbol 
+1, both occurring in 

Based on Computing n-th Roots mod n 2 and on the DCR Assumption 

The function / : Z* 2 — > Z* 2 , x x n for an RSA modulus n is (a candidate for) 
an unconditionally binding n-OWGH. Given y G Z* 2 , v = y fulfils f(v) = y n 
and e.g.f=n + lG Z* 2 fulfils the requirements for the unconditionally binding 
property, based on the decisional composite residuosity (DCR) assumption [E| . 

The resulting computationally binding commitment scheme is com g j(s,r) = 
g s r n for a random n-th power g and the resulting computationally hiding scheme 
is com t f(s. r ) = t s r n for e.g. t = n -b%G Z* 2 , i.e. the Paillier encryption function 

m- 

Note that even though n is not a prime, it can be treated in this context as 
one, as it is (assumed to be) hard to find non-trivial divisors. 
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Abstract. We study the problem of secure communication tolerating 
generalized mixed adversaries across an underlying completely asyn- 
chronous incomplete network. We explore the interplay between the min- 
imal network connectivity required and the degree of security attainable, 
and completely characterize the network requirements for attaining per- 
fect and unconditional (with negligible error) security. We also consider 
networks with additional broadcast capabilities and prove that uncondi- 
tionally secure communication can be achieved with much lesser connec- 
tivity if the network assures the broadcast primitive. 


1 Introduction 

Consider n players who are connected by an underlying communication network 
Af . Our concern is to make sure that every player can talk to every other player. 
Two players can talk to each other if they are connected by an edge. Hence, we 
can trivially guarantee that every player can talk to every other player if the 
underlying network Af is complete. But do we require all the "C2 direct connec- 
tions (or edges)? Can we not ensure that all the players can communicate with 
one another with a lesser number of edges? Evidently, the smallest connected 
network (viz. a tree) would suffice to allow every pair of players to be able to 
talk (though indirectly). However, such minimal connectivity is not enough if 
one player wants to secretly talk to another player, i.e., the sender S has to 
transmit a message to the receiver R such that all the other players should get 
no information about the message transmitted, even if some non-trivial subset 
of players (excluding S and R) collude and behave maliciously. The interplay 
between information-theoretically secure communication and minimal network 
connectivity has been studied extensively. Dolev et. al. in jS] proved that a syn- 
chronous network has to be at least (max(£ a ,t p ) +t a + l)-connected for secure 
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message transmission to be guaranteed between every two players, where up 
to t p players collude and only eavesdrop on the messages routed through them 
(passive faults), while up to t a players collude and maliciously try to disrupt 
the protocol apart from eavesdropping (active or Byzantine faults). These result 
were recently generalized in PH to the non-threshold case modeling only Byzan- 
tine faults: perfectly secure transmission is possible if and only if the union of the 
players in no two potentially faulty subsets of players forms a vertex cut-set of 
the graph (wherein the potentially faulty subsets of players are enumerated as an 
adversary structure |0|). However, these results are restricted to the case where 
the underlying network is synchronous. Asynchronous perfectly secure commu- 
nication for the case of threshold adversaries was studied in Pi- In essence, a 
(max(t a , t p ) + 2t a + l)-connected network is necessary and sufficient. Uncondi- 
tionally secure communication with negligible error in reliability (i.e., R might 
receive a wrong message) was studied in detail in jSj . However, these results are 
restricted to the threshold case assuming that the underlying network is syn- 
chronous. We initiate a study of asynchronous secure communication tolerating 
faulty players, some passive and some others active, characterized as generalized 
mixed adversary structures (as in 0) and investigate the minimal connectivity 
requirements for perfect security and unconditional security. 

A very important primitive used by all protocols for secure communication 
is that of reliable, yet insecure communication (e.g. calls it public transmis- 
sion). By this we mean, any message m sent by player S to player R is correctly 
received by R; however, the other players may have considerable (or even full) 
information about m. We can achieve this reliable communication trivially if we 
are assured that the network Af has broadcast capability^ However, if Af does not 
have broadcast capabilities, one should be able to simulate reliable transmission 
using a protocol. We study the minimum network connectivity which guaran- 
tees the possibility of such reliable transmission in networks without broadcast 
capabilities. We show that the existence of a broadcast channel does not reduce 
the connectivity requirement for perfectly secure asynchronous communication. 

In line with pjj, the generalized mixed adversary is characterized by a gen- 
eralized adversary structure (see Definition Q) , i.e. a set of pairs ( D,E ), where 
D and E are disjoint subsets of the set of players, wherein the adversary may 
select one arbitrary pair from the structure and corrupt the players in D actively 
(i.e. take full control) and in addition passively corrupt (i.e. read and process 
information of) the players in E. Among our results, we show that in the perfect 
setting, secure message transmission between any pair of (honest) nodes in a 
completely asynchronous network is possible if and only if neither the removal 
of the players in the union of any three sets of potential active collusions, nor the 
removal of the players in the union of any two sets of potential active collusions 
with any one corresponding set of potential passive collusion, leaves the network 
disconnected. Evidently, the above condition generalizes the threshold adversary 
requirement of (max(t a , t p ) + 2 t a + l)-connected network. Interestingly, we prove 


1 By definition, if a message m is sent using a broadcast channel then all the players 
correctly receive (the same) m. 
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that the same condition given above is necessary and sufficient even in the case 
of unconditional security, though the resultant protocol is less complex. Thus, 
the minimal connectivity requirement is unaffected by he weakening of security. 
However, in the presence of a broadcast channel, the perfect setting still requires 
the same amount of connectivity whereas in the unconditional setting, it is (nec- 
essary and) sufficient if the players in the union of any two sets of potential 
active collusions with any one corresponding set of potential passive do not form 
a vertex cut-set of the network (i.e., only the second half of the above condition 
is sufficient). In all the above cases, the designed protocols have both their com- 
putation and communication complexities polynomial in the size of the maximal 
basis of the adversary structure. 

Motivated by the facts that network synchrony is hard to achieve and that a 
threshold adversarial model is insufficient to model all types of mutual (dis)trust, 
we generalize the results of [f>l I dll 2) to the generalized mixed adversary model 
and/or to asynchronous networks (see Theorem EJ), in the perfect setting. Fur- 
thermore, in the unconditional setting, we initiate the study of asynchronous 
secure communication (see Theorem EJ) and the study of unconditional with 
broadcast capability model (see Theorem EJ) . 

Asynchronous secure communication is an important primitive for secure 
multiparty computation over asynchronous incomplete networks. Thus, our re- 
sults can be used to transform the asynchronous secure computation protocols 
that run over a complete network (e.g. E0) into ones that can be executed over 

The usefulness of some of our results is illustrated, 
for instance, through the following implication: Con- 
sider a asynchronous chorded ring network of four 
players as shown in Fig. 0 The most powerful adver- 
sary that previous known protocols (e.g. m for per- 
fectly secure communication among the players over 
the asynchronous network in Fig. [D could tolerate is 
one that passively corrupts one arbitrary player (since 
the chordal ring network is 2-connected, we require that 
2 > max(t a , t p ) + 2 t a , giving t a = 0 and t p = 1). Using 
our results, one can perfectly tolerate an adversary that passively corrupts player 
Pi or player P4 or (even) actively corrupts player P2 or player P3. 


incomplete networks. 
p i. _P 2 



P 3 P 4 

Fig. 1 . Network. 


2 Preliminaries 

We consider a network Af(V, £), where V = {Pi, P 2 , . . . , P„} denote the set of 
players (nodes) in the network that are connected by the edges as defined by 
£ CpxP. Formally, all the n players (nodes) in the network AT can be modeled 
as probabilistic interactive Turing Machines. We assume that randomization is 
achieved through random bits. We assume that the underlying network J\f is 
asynchronous, i.e., a message sent on a channel/path can be arbitrarily delayed 
(similar to the communication model in UJ). However, if two nodes P, and Pj 
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are directly connected by a link (edge), then each message that player Pj sends 
to Pj through the link is eventually received (albeit probably in any order). 

The set of faults in the players is usually captured using the notion of an 
external centralized adversary. A computationally unbounded adversary B is 
a probabilistic strategy that controls/corrupts a subset of players (and/or the 
edges connecting the players) and endeavors to violate the security of the system. 
We assume, without loss of generality, that the adversary can control/corrupt 
only the players and not the edges connecting themfl 

Our notional adversary is a passive adversary if all dishonest players exhibit 
only passive adversarial behavior, that is, all the corrupted players can collusively 
gather all the information they get and run any arbitrary computation on this 
information. The adversary is a Byzantine adversary if all dishonest players 
show active adversarial behaviour, that is, in addition to eavesdropping, they 
can maliciously alter their behavior in an arbitrary and coordinated fashionH If 
some players exhibit only passive adversarial behavior while others exhibit active 
adversarial behavior, the adversary is called a mixed adversary. Depending upon 
the amount of knowledge one has about the adversarial behaviour of the players, 
adversaries can be modeled as either threshold adversaries or generalized (or non- 
threshold) adversaries. When modeled as a threshold adversary, a maximum of 
t out of the n players are assumed to exhibit adversarial behaviour. Hirt and 
Maurer pj transferred and adjusted the notion of access structures (introduced 
in E3 for secret sharing) to the field of general secure multiparty computation, 
which was subsequently adapted to the secure communication setting in H2|: 
the behaviour of the faulty players is characterized by an adversary structure, 
which is a monotone set of subsets of players, wherein the players in any one of 
these subsets is corruptible by the adversary. 

In our study we consider mixed adversaries modeled using generalized adver- 
sary structures (like in 0). In this model, some subset of players D show active 
adversarial behaviour and at the same time, some other subset of players E show 
only passive adversarial behaviour. Hence, the adversary is characterized by a 
monotonj^ set of classes C = ( D,E ), where D,E c V and D n E = 0. The 
players in one specific class is corruptible by the adversary. - players in D are 
actively corrupted while those in E are passively corrupted. 

Definition 1 (|7|). A generalized mixed adversary structure A is a monotone 
set of classes C = ( D , E), where D,E cV and DnE = 0. The maximal basis of 
A is defined as the collection of classes {(D, E)\(D, E) e A, fl(X, Y ) e A, ((W D 
D) PI (Y D E))}. We abuse the notation A to denote the maximal basis. 

2 This is because, any adversary corrupting both the players and edges of a network 
Af can be simulated by an adversary corrupting the players alone on a new network 
Af' got by replacing each insecure edge e = (Pi, Pj) by a player Pij and two edges 
ei = (Pi, Pij) and e 2 = (Pij, Pj). 

3 Note that this subsumes fail-stop faults wherein the dishonest players alter their 
behaviour in a pre-specified manner, viz., do not respond at all. 

4 Monotone means that if a class C = (D, E) belongs to the structure, then all classes 
C' = (D' , E') such that D'CD and E' C E are also elements of the structure. 
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Remark: Similar to the classical threshold model, the threshold mixed adver- 
sarial model can be defined as one in which up to t a players maliciously attempt 
to disrupt the protocol, while up to t p other players only eavesdrop. 

We introduce the notion of a path adversary (like in H2|). Any message trans- 
mitted from a player Pi to a player Pj should traverse a path in TV connecting 
the players. Hence, it is more appropriate to consider paths as corruptible enti- 
ties rather than considering the adversarial behaviour of the individual players. 
This path adversary we characterize with the help of a generalized mixed struc- 
ture. Let the set of all paths between players Pi and Pj in TV be denoted by 
Xpath(Pi,Pj)- 

Definition 2. Given the generalized mixed adversary structure A, we denote 
the path adversary structure over a subset of paths &(Pi, Pj) C X path {Pi, Pj) as 
A^th(Pi’Pj)- -^pathiPi’ Pj) a monotone set of subset pairs of <P(Pi,Pj). For 
every class C = ( D,E ) G A there is a corresponding class A = (Ajj,Ae) € 
Ai path( p i, p j) such that A d (or Ae) is the set of all paths in &(Pi, Pj) between 
Pi and Pj passing through any of the players in D (or E, respectively). More 
precisely, A ^ P ath( p i’ p j) c , such that 

Al path( P i’Pj ) = {(TlD,A £ ;)|v(D,E)e^ I (A D =^(P i ,P 3 )\(iV [I , VD] ))n(yl B =^(F i ,F J )\(Arp\ E] ))} 

where N[y] denotes the set of all paths in the sub-network induced by TV on the 
vertices in V. 

Definition 3. Given the generalized mixed adversary structure A, the network 
is said to be A^ k,tl -connected if for any max(fc, £) classes Ci x , Cj 2 , . . . , Ci max(fei<) 
from A, the deletion of the nodes in Uj=i p i, U Uy = i p ij f rom the network does 
not disconnect the network. With respect to two players (nodes) Pi and Pj, the 
network is said to be A^ k ' t \Pi, Pj) -subconnected if for any ma x(fc,£) classes 
Ci x ,Ci 2 , ... , from A, the deletion of the nodes in Uj=i p ij V Uj=i 

from the network does not render Pi unreachable from Pj . 

Remark: It is evident that that for the threshold mixed adversarial model, the 
^(Ml-connectivity condition translates to k > kt a + £t p , where k denotes the 
size of the smallest vertex cut. 

Since the underlying network is asynchronous, the adversary has the power to 
schedule the messages. A message routed on a path having an actively corrupted 
player (which we shall call henceforth as an actively corrupted path) can schedule 
the message in such a way that the receiver will be made to wait for it for 
arbitrary long periods of time. Actually, these actively corrupted paths may 
just withhold the messages routed through them and thus receiver R may not 
listen from the sender S on paths in A D , (A D ,A E ) G A path ( S, R). However, the 
receiver can not distinguish between honest paths which are slow (thanks to the 
malicious scheduling) and malicious paths which withhold information. Hence, 
in the worst case, the set of paths on which R can expect to receive information 
might contain all the malicious and the eavesdropping paths! 
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3 Secure Message Transmission 

We consider the problem of transmitting a message m from a player Pj to a 
player Pj securely. We consider perfect and unconditional (with a small error 
probability) security in the information theoretic sense. In this section we define 
perfect security and unconditional security. Let the message to be transmitted 
securely be drawn from a (prespecified) fixed finite field T and let P denote the 
underlying probability distribution on this field. Define the View of a player 
Pj in AT, at any point of the execution of a protocol 77 for secure message 
transmission, to be the information the player can get from its local input to 
the protocol (if any), all the messages that Pj had earlier sent or received , the 
protocol code executed by Pj and its random coins. The View of the adversary 
(i.e. the View of the players exhibiting adversarial behaviour) at any point of the 
execution of 77 is defined as all the information that the adversary can get from 
the Views of all the players corrupted by the adversary (i.e. all the information 
that these players can commonly compute from their Views). 

For every message m G T, any adversary ^characterized by A, and any pro- 
tocol 77 for secure message transmission, let T(B, to, 77) denote the probability 
distribution on the View of the adversary B at the end of the execution of 77 
when the message sent is m. 

Definition 4 (Secure Message Transmission). A protocol 77 is said to fa- 
cilitate perfectly secure message transmission between two players Pi and Pj if 
for any message m, drawn from r on T , and for every adversary B, character- 
ized as an (generalized mixed) adversary structure A, the following conditions 
are satisfied: 

1. Secrecy: P(B, m',77) = P(B,m, 77) Mm' G T. That is, the above two dis- 
tributions are identical irrespective of the message transmitted. 

2. Resiliency: The protocol certainly terminates with the receiver Pj receiving 
the message m correctly. 

The protocol 77 is said to be unconditionally secure (with negligible error) if 
a negligible error probability S can be tolerated with respect to the Resiliency 
condition, i.e., the protocol terminates with an overwhelming probability 1 — <5 
and the receiver Pj receives m with a negligibly small error probability 6. The 
probability is over the choice of m and the coin flips of each of the players and 
the adversary (this is same as the (0,6) -security as defined infifl). 

4 Issues 

Before we start designing protocols for asynchronous secure communication be- 
tween the sender S and the receiver R over the network H, tolerating generalized 
mixed adversaries, there are a few critical issues which have to be dealt with: 

1. What are the paths that, out of the potentially exponential number of paths 
between S and R, should be used for transmission? Note that irrespective 
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of the total number of paths from S to R, only a polynomial (on the input 
size, i.e., n + |A|) sized subset of the paths should be used if the resultant 
protocol is to be feasible. Furthermore, one should be able to compute the 
above subset of paths in polynomial time! 

2. What to send along the above chosen paths? In the sequel, it is shown that 
the answer depends on the setting. 

3. How to route a message along a path? Since, the adversary can actively 
corrupt some players, these intermediate players can misroute a message. 

4. How does the receiver R distinguish between two different paths having the 
same final link? This may be required since the receiver invariably has to 
“reconstruct” the sender’s message from the data that he receives via many 
different paths, and the data may be an ordered set. 


4.1 Solving Issue #1: Critical Paths 



Fig. 2. Network J\Ti 


Consider a network in which at most t nodes are 
faulty. In such a case, irrespective of which nodes 
are corrupted it is evident that in the worst case, 
not more than t disjoint paths can be corrupted (one 
node per path). Hence if the network is /t-connected, 
it is sufficient to abstract the network as k disjoint 
paths between S and R of which any t paths could 
be faulty; or even better as k wires of which any 
t could be corrupted. This is exactly what |5IO | 
have done! In the above case, we call the k (disjoint) 
paths that are chosen as the critical paths. Note that 

the number of critical paths is usually much lower than the total number of 
paths between S and R. Unfortunately, when the players’ adversarial behaviour 
is modeled as a generalized mixed adversary, however, the non-disjointness of 
the communication paths is indispensable. 

For example, consider the network in the Fig. [21 Let the adversary be char- 
acterized by the following mixed adversary structure A = { (A, 0). (B. 0), (F. 0), 
(G, 0)}. There are in total five paths from S to R. It can be easily seen (using 
the results of I3E1) that any protocol for asynchronous secure message trans- 
mission between S and R should necessarily use four of the paths between S 
and R, leaving out one of the two paths passing through F (since the node F is 
potentially corruptible). Note that in any case, the chosen four paths are all not 
disjoint! Furthermore, the path that is left out is not a critical path. 

We now need to develop a deterministic methodology for computing the criti- 
cal paths; moreover, we require that the algorithm runs in time polynomial in the 
input size. Assume that the sender S and receiver R are A^ 1 ,0 )-subconnected 
as well as A^U-subconnectedB We solve the above issue by providing an al- 


5 It will be clear from the sequel that in the various settings considered in this paper, 
we will be dealing with only -subconnectivity and A 2 -subconnectivity. More 
precisely, in the perfect and unconditional settings, fci = 3 and k ,2 = 2; and in the 
unconditional with broadcast setting, ki = 0 and k .2 = 2. 
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Computing PotX a (S,R) 
Inputs: JV(P,£), A, sender S and receiver R. 


Let PotX a (S, R) 
For h = 1 to | A< 
For i 2 = h + 1 



= {A< = (P\D)|V(D,.E) £ A}. 


For i fcl = t*,_i + 1 to | A&> oe .,l 

IF (PotX a (S, R) n nAj n...nAj ])^M0 
THEN Select at random some path p in N lAi nA ; n 
and set PotX a ( S, R) <- PotX a (S, R) U {p}. 

NEXT i kl 

NEXT i 2 
NEXT ii 

Let ASLo. = {A; = (P \ (-D U E)) |V(D, E) £ A}. 

For h = 1 to \A£> ce3 J 


For i k = i fc2 _r + 1 to 1 4Ll 

IF (PotX a (S, R) n A^[A i;L n...nA ife ])=*»# 

THEN Select at random some path p in A r [A . n ...n a 4 
and set PotAT a (S, R) <- PotX a (S, R) U {p}. 2 

NEXT i k2 


NEXT ii 


Comment: The above construction ensures that S and R are A ( - kl -°' ) -subconnected as well as 
A^ 2 ’ 1 ) -subconnected even if the set of paths is restricted to PotX a ( S,R). 


Fig. 3. Identifying the critical paths PotX a ( S, R). 


gorithm (see Fig. 0 with the following properties: (1) The algorithm takes as 
input N(V,£), A, and the sender S and the receiver R. (2) The algorithm out- 
puts a set of paths between S and R in AT, denoted by PotX a ( S,R). (3) The 
algorithm runs in time polynomial in \P\ and \A\. viz. 0( \V\ ■ |*4| 6 ). (4) The num- 
ber of paths in PotX a ( S,R) is polynomial in |Al|, viz. 0(|Al| 3 ). (5) A solution 
using PotX a (S,R) exists if and only if a solution that uses the full set of paths 
X P ath(S. R) exists, i.e. it is ensured that S and R are At^ fcl,0 ^-subconnected as 
well as ’ * - 1 -subconnected even if the set of paths is restricted to PotX a ( S, R). 


Theorem 1. The algorithm in Fig. Q satisfies all the above stated properties. 
We assume the worst case of k\ = 3 and k% = 2. 


Proof of Property 3: The only computational intensive step is the IF step, 
which takes 0(\P\-\PotX a (S. R)|) time. Since, \PotX a (S, R)| = 0|„4| 3 (see Proof 
of Property 4), the overall computational complexity is 0(\P\ • |Al| 6 ). 

Proof of Property 4: The property is clear from the fact that in each of the 


{(?) + (?)} 


iterations, the size of PotX a (S, R) increases by at most 


Proof of Property 5: Follows from the construction. 
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4.2 Solving Issues #2 &: #4: Anonymous Secret Sharing 

We require that the adversary should get no information about the message, 
whilst R should be able to reconstruct the message (or should at least be able 
to detect a fault, if not correct it!). This is reminiscent of secret sharing. More- 
over, R may not be able to distinguish between shares routed on different paths 
arriving through the same final link. Therefore the requirement is that of anony- 
mous secret sharing |3]. In our case, anonymization is easily achieved by creating 
self-identifying message packets by appending the intended path number to the 
message, i.e., if the message packet ro, is to be routed through path p, : , the self- 
identifying packet would be The above abstraction helps us work with 

secret sharing alone since it can easily be “compiled” into anonymous secret 
sharing. In the unconditional case, as will be illustrated in the sequel, it is suffi- 
cient if the secret is split into shares such that their sum gives back the secret. 
However, in the perfect setting, we use the linear perfect secret sharing schemes 
based on monotone span programs E | ■ 

4.3 Solving Issue #3: Routing Algorithm 

As a recap, a routing primitive is essential since it is not guaranteed that a 
message intended to be routed along a path will reach the receiver on that par- 
ticular path. We prove that such a strong primitive is not required and the 
weaker primitive described in Observation El is sufficient to design secure mes- 
sage transmission protocols. We next provide the routing primitive A async (see 
Fig. Hj) for asynchronous networks. 

Observation 11. It is sufficient to have a routing algorithm A that guarantees 
that on every honest path pi (identified by i), R receives exactly one correct 
self-identifying packet, namely (w i,i). 

We now prove that the algorithm A async satisfies the weak routing primitive 
described in Observation El 

Theorem 2. The Routing Algorithm A async for asynchronous networks, given 
in Fig. satisfies the specification as in Observation El 

Proof: Let pi be an honest path through which S intended to send message zu-i. 
On the contrary, assume that R received on path pi either: 

1. One incorrect packet. This leads to a contradiction because if the packet was 
correct up to q hops, our algorithm ensures that it is correct even after q + 1 
hops. Proof follows through induction. 

2. No packet. As all the nodes on the path are honest it is clear that at least 
one packet (viz. the packet routed through that path (wi,i)) will eventually 
reach R. (Note that, however, R may not wait for this message.) 

3. More than one packet: Since more than one packet was received on the honest 
path pi (with the same path identifier), there exists at least one packet whose 
path identifier was corrupted to i. Let N be the corrupted node where the 
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Routing Algorithm A. aeync 


Inputs: The sender S, receiver R, message ro; to be routed through path p, , and the subset of 
paths <2>(S,R) C * P atfc(S,R) under consideration. 

Code for the Sender S: 

Send packet (to 4 , i) to node N, IF path Pi = (S, N, , . . , R) and Pi e <P(S, R). 

Code for an Internal Node N: 

IF the packet (to 4 , *), where path Pi = (S, . . . , N lt JV 2 , N 3 , . . . , R) and Pi e <f(S, R), is received 
from IVi and N 2 == N, THEN send it to N 3 . ELSE throw away the packet (to 4 , i). 

Code for the Receiver R: 

For each Pi 6 <P(S, R), initialize n = K 

Let Srecd (initialized to 0) keep track of the paths through which R receives. 

IF R receives the packet (to*, i ) from N t , where path Pi = (S, . . . , N t , R) 

THEN 

Srecd Srecd U {p 4 }. 

IF % -= h 

THEN set n = (to t ,i). 

ELSE set n =J_. 

ELSE set n =X. // i.e., when the message is received but not along Pi . 

Wait until S r ecd 3 ($(S,R) \ A D ) for some (A D ,A B ) e ^(S,R). 


Fig. 4. The Routing Algorithm for Asynchronous Networks. 


path identifier was corrupted to i and sent to a honest node Nf, in p, . A async 
ensures that this packet is thrown away by N^. Notice that the same holds 
even when = R. □ 

5 Unconditionally Secure Communication with Broadcast 

5.1 Impossibility 

Theorem 3. Unconditionally secure message transmission tolerating A across 
an asynchronous network M with broadcast capability is possible only if the sender 
S and the receiver R are A (S, R)- -subconnected. 

PROOF: Assume that, on the contrary, secure transmission with negligible error 
is possible even when S and R are not yC 2: b(S, R)-subconnected. In this case, 
the adversary can exploit the asynchrony of the network and delay the messages 
routed through the paths in A D for some class A = (A n ,A E ) e A yath {S, R). 
Since S and R are not A < '’ 2 ~ A HS. R)-subconnected, there exists a class A! such 
that A! = ( A' d ,A' e ) € Ap ath (S, R) such that d D U A' E = -T po th(S,R). Thus 
by choosing to corrupt this class A the adversary has all the knowledge that R 
takes into consideration thus violating the secrecy requirement. □ 

5.2 Possibility 

We propose a protocol sketch for unconditionally secure communication on the 
lines of 0 and show that the (S, R)-connectivity condition is sufficient. 
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Asynchronous Unconditionally Secure Transmission 

1. S sends different pf,<rf £ T on each path Pj in 3>(S, R). 

2. For each, p R , <r R that R receives on the correct path pj , R reliably sends (using the broadcast 

3. S constructs G = { j\sf = {vf • pf + erf)}. S reliably sends (using the broadcast channel) G 
and Z = m s + Eg pf ■ 

4. R computes m R = Z — Eg pf ■ 


Fig. 5. Unconditionally Secure Transmission with Broadcast. 


Theorem 4. The protocol given in Fig. 0 is indeed a protocol guaranteeing un- 
conditionally secure communication if the sender S and the receiver R are A < ‘ 2 ' y> - 
subconnected. 

Proof of Secrecy: Since the network is asynchronous, the receiver can ex- 
pect to receive messages only on paths in (X pa th(S. R) \ Ac) (for some A = 
(Ab,Ae) e A path (S. R). However, since S and R are .4( 2,1 )-subconnected, even 
if the adversary corrupts some other class A' = (A' D ,A' E ), there exists one path 
Ph on which the messages will reach R and has no corrupted (active or passive) 
player. Hence, R receives the values pf and of correctly. The adversary can not 
find out the value pf even using s R and vf-. Hence the adversary can only guess 
the value of m s even after knowing Z. 

Proof of Resiliency: m s ^ m R if and only if pf ± pf for some j e G. This 
occurs with a probability ^ . Hence, Pr(m s ^ m R ) < |^|, which can be made 
sufficiently small since one could choose the working field such that \F\ > ^ 
and still have the compute, round and communication complexity of the resul- 
tant protocol polynomial in the size of the network, the size of the maximal basis 
of the adversary structure and log | (if 6 > 0). □ 

6 Unconditionally Secure Communication 
without Broadcast 

6.1 Impossibility 

Theorem 5. Unconditionally secure message transmission tolerating A across 
an asynchronous network N without broadcast capability is possible only if the 
senderS and the receiver R are ,1k) -subconnected as well as ^l^ 3 ’ 0 ^(S,R)- 

subconnected. 

Proof: As a direct consequence of Theorem 0 S and R should be at least 
■A( 2,1 )(S,R)-subconnected for any secure communication protocol to satisfy the 
secrecy condition. For the sake of contradiction, assume that there exists a 
scheme £ for unconditionally secure communication even when S and R are not 
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A. (3 ’ 0) (S, R)-subconnected. Using £, we construct a protocol for uncondition- 
ally secure communication between a sender S' and a receiver R' over a network 
A f , wherein S' and R' are connected by exactly three disjoint paths {pi,pz and 
p 3 ), at least one of which is corrupted by a Byzantine adversary. However, in 
this case, secure communication of any sort is impossible. The adversary can 
delay the message through one of the paths so that R' does not take it into 
consideration. Then the adversary can corrupt one of the other two messages. 
Thus R' will have to reconstruct the secret using one of the two messages and in 
a sense has exactly the same amount of information as the adversary. Since the 
adversary should not get more information about the secret (than what he can 
get by random guessing), unconditionally secure communication is not possible. 

Construction of £' from £ is simple. Since, S and R are not A.( 3, °)(S,R)- 
subconnected, there exist three classes A\ = (A Bl , A/jJ, A 2 = (Ao 2 , A B2 ), A 3 = 
(Ad 3 ,Ae 3 ) in the path adversary structure such that A Bl U A B , 2 U Ad 3 = 
X P ath(S, R)- Construct scheme £' wherein, every message sent through a path in 
A B] in £ is sent through the path pi in every message sent through a path in 
A D2 \A Dl in£is sent through the path p 2 in and every message sent through 
a path in A D a \ (A Dl U A D2 ) in £ is sent through the path p 3 in £'. Hence, if £ 
is a protocol for unconditionally secure communication, so is £'. □ 

6.2 Possibility 

We remark that the protocol for unconditionally secure communication in Fig. 0 
will work even in this case, if we are able to simulate reliable but insecure 
transmission. We provide below a protocol for the same (which we call Pub- 
lic transmission) whenever the sender and receiver are at least yf( 3 '°) (S. R.j- 
subconnected. 

Theorem 6. Reliable, yet insecure transmission is possible if and only if S and 
R are A^ 3,0 \S ,H)-subconnected. 

Necessary: Assume the contrary. Then there exists classes Ai,A 2 and Ag such 
that A\ U A 2 U A 3 = X pat h(S, R). The adversary slows down the messages in A\ 
and corrupts those in either A 2 or A 3 . Note that R has no idea whether A 2 is 
corrupted or A 3 is corrupted and can not decide whether messages through A 2 
are correct or those through A3 are correct. Thus reliable transmission is not 
possible. 

Sufficient: See protocol in Fig. El Suppose S transmits a message m to R. Let 
R receive m'. Assume that m! 7^ m. This would require the adversary to corrupt 
the paths in A B = ( S rec d \ A' D ) = (?£(S, R) \ ( A D U A! D )). Hence, 3(A^,, A!'^) e 
■^paU(S- R) such that A!' D D A B . This would imply that, 3 (Ad, Ae), (A' d ,A' e ), 
(A" , N’ r ) e A^ t/| (S, R) such that A D U A' n U A E = <£(S,R). This leads to a 
contradiction since S and R are A*- 3,0 - 1 (S, R)-subconnected. □ 
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Public Transmission Reception 
Transmission: Sender S sends message m on all paths in <£(S, R). 

Reception: The receiver R receives on paths in S re cd = (^(S,R) \ Ad) for some 

Let the receiver R receive on path pi £ Srecd- 

Set to' = m't such that 3(T D , A' E ) e R), = m'J D (S recd \ A’ D ). 

m' is the publicly received message. 

Comment: The publicly received message m' is that message which is received through the 
paths which form a set in the path access structure. 


Fig. 6. Public Transmission and Reception. 

7 Perfectly Secure Communication 

7.1 Impossibility 

Theorem 7. Perfectly secure message transmission tolerating A across an asyn- 
chronous network N is possible only if the sender S and the receiver R are 
A ( - 2,1 \S,'R)-subconnected as well as A^ 3,0 \S,Ii)-subconnected. This is irrespec- 
tive of whether Af has broadcast capabilities or not. 

Proof: Assume for the sake of contradiction that there exists a scheme £ for se- 
cure message transmission of m € T from S to R tolerating A across AT not sat- 
isfying either A( 3 ’ 0 )(S, R)-subconnectivity or the (S, R)-subconnectivity 
condition. Also assume that each execution of f proceeds in phases, and that in 
the odd phase the sender S sends messages to the receiver R while in an even 
phase transmits to S. 

Case 1- Violation of A( 3 '°\S,Tl)-subconnectivity: 

In this case, there exist three classes (A Di ,A El ), {A D2 ,A E2 ), (A D3 ,A Es ) e 
-4p at/( (S,R) such that A Dl U A D2 U A Da = X path (S, R). Let m ^ m! G T. We 
construct two executions, and T 1 of £ that, for every k, are indistinguishable 
to R after k phases of communication. However, we construct the two execu- 
tions in such a way that in T the message being transmitted is m, while in T’ 
the message being transmitted is m! thus proving that these executions cannot 
terminate, violating the resiliency condition. 

Assume that in phase 2i + 1 of the execution of T (or T'). S sends (re- 
spectively af) through the paths in A El , /^(respectively /?/) through the paths 
in (Ad 2 \ A El ) and 7* (respectively 7/) through the paths in (A E3 \ (A El U A E2 )). 
The adversary corrupts A Es (respectively A E2 ) in the execution of ^(respectively 
T') and delays the messages sent through paths in A Dl so that R will not con- 
sider these messages. In each phase of the execution of ^(respectively T'), the 
adversary corrupts the message 7* (respectively fi/) to 7/ (respectively ff ). At 
the end of the i th phase, R receives A, 7/ on paths in (A D2 U A D:i ) \ A Dl in 
both the executions. Clearly, the receiver cannot distinguish between the two 
executions, violating the resiliency requirement. Note that the existence of a 
broadcast channel does not help. 
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Case 2- Violation of A << ‘ 1,v, {S,IC)-subconnectivity. 

This means that there exist two classes (A£q, A&J, (Ao 2 , Ae 2 ) G Ap 0th (S, R) 
such that = X pat h(S, R). Hence, by choosing the class (Ad 1 , AeJ 

from A and delaying the messages routed through paths in Ap, 2 (so that R 
doesn’t consider these messages), the adversary gains as much knowledge of the 
message as does R violating the secrecy requirement. 

The fact that the presence of a broadcast primitive leaves the condition 
unaffected follows from Theorem El and the protocol (see Fig. E) for simulating 
broadcast. □ 


7.2 Possibility 

We show that the protocols in line with |5I1 21 . when modified to the asyn- 
chronous and generalized mixed adversary setting, works correctly over any net- 
work that is A^ 2 ’ 1 ) (S, R)-subconnected as well as A 1 - 3,0 ) (S, R)-subconnected. We 
begin by describing a method for sharing and reconstructing a secret, which we 
will denote as algorithm T (see Fig. 0). It is known that a polynomial sized 
MSlfl HI! M = {F, M rfxe , i/i) can be constructed (preferably of size as small as 
possible), corresponding to the adversary structure A^J ft (S,R) with the range 
of ip being f F(S, R) and the target vector T = [1, 0, . . . , 0]. With these inputs, we 
describe the sharing and reconstruction algorithm T in Fig. 0 

Our transmission protocol (see Fig. EJ) runs in iterations. In each iteration 
the sender S attempts the transmission of a random pad p by sending share Wi 
(constructed using T) along each path p 7 > Since, is not assured of hearing on 
all the paths, R waits for messages on a subset of paths S rec d and attempts to 
reconstruct the random pad p (using the reconstruction algorithm of T) from 
the shares received. If R is not able to conclusively reconstruct a unique pad, R 
publicly sends all the received messages to S. From these shares, S constructs 
the set of faulty paths F. First S constructs the set S recc i, the paths on which 
R actually received messages. Among these paths, S marks a path to be faulty 
(and adds to the set F ) if R had received a wrong message. Note that at least 
one path is recognized as faulty, since otherwise the transmission of p would 
have been successful, terminating the pad-agreement phase of the protocol. Now 

5 and R prime the adversary structure (as in the synchronous case) and restart 
the protocol for a different pad p' . When the transmission of a pad p is successful, 

6 Every linear secret sharing scheme can be represented as a Monotone Span Program 
defined as the triple (F, M, A) where F represents a finite field, M is a d x e matrix 
with entries in F, and A : { 1 ... ci} — > {Pi . . . P n } is a function. Each row of the 
matrix M is labeled by players in the sense that Sy assigns the label Q(k) to the /c-th 
row of M, 1 < k < d. For A C {Pi . . . Pn}, M a denotes the matrix that consists 
of all rows in M labeled by players in A. Let T € F e be the target vector. A MSP 
is said to accept (or reject) a structure Z if MZ G Z , there exists (does not exist, 
respectively) a linear combination of the rows of Mz which equals T. An MSP is 
said to correspond to an adversary structure A a dv if it rejects exactly A a dv By the 
size of an MSP, we mean the number of rows in M. 
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Sharing & Reconstruction 

Sharing: We arrive at the entity to be sent across each of the paths in <P(S,R) in the following 
three steps. 

1. Computing the Secret Shares: Let p be the random pad to be agreed upon and s = 
[p, ipi,<p2, ■ ■ ■ ,Pe-i] where all <p»’s are random elements in F. The shares are constructed 
as x = M X s T and the share Xj corresponds to path ip(j) (label of the j th row in M). 

2. “ Anonymization ” and the packet construction: We convert each of the shares to be sent into 
what we call self-identifying packets. Consider each share Xj as a binary string of length lg \T\ . 
The packet wt corresponding to path p-; is the base 3 number obtained as follows: 

— Append the digit 2 to the binary strings representing each Xj , to get a ternary string 
denoted by *'•. 

- Concatenate all the x'.’s assigned to to get (zOi)base 3 = 0 x' j2 ° ■ ■ ■ ° x'j k = 

Xi! ° 2 O Xj a ° 2 O . . . o 2 o Xi k ° 2 where Vjj, the label if(je) = Pi- 

Reconstruction: The receiver undoes the transformations performed by S to obtain the original 
shares x- If all the shares are correct, then the receiver R can indeed reconstruct the secret as 
follows: 

1. For each set A 6 find A a such that A a X Ma = f. (By the MSP definition, such a 

(1 X e) vector Aa should exist.) 

2. p = T X s’ T = Aa x JWa x s T = Aa x xa- 


Fig. 7. Algorithm for Sharing and Reconstruction. 


R publicly sends OK upon which S sends Z = m(Bp publicly. The receiver 
can get back nn by m = Z Q p. 

Theorem 8. The transmission protocol given in Fig. 0 has the following prop- 
erties: (1) The protocol provably terminates and runs in time polynomial in 
(■ n + |-A a *,|). (2) The protocol satisfies the security requirements. (3) The over- 
all message complexity of the protocol is polynomial in ( n + |-A a <fa|)- The proof 
follows from the Lemma 0 Theorem 0 Lemma 0 and Lemma 0 

Lemma 1 (Termination). The transmission protocol will terminate in at most 
\A\ iterations. 

PROOF: We show that if an iteration did not successfully transmit the random 
pad p, at least one faulty path will be detected. In each iteration, every path 
can be classified as an OK path (R receives one message), or a talkative path (R 
receives more than one message), or a silent path. The transmission of p will be 
successful if all the messages received on the OK paths were correct and there 
are no talkative paths. (We know that silent paths form a disruptive set in one of 
the classes in the path adversary structure.) If there is even one talkative path 
Pi, it would be marked with t* =T and hence be recognized by S as faulty. If 
any one of the messages on the OK paths are wrong, this path will be recognized 
as faulty since S reliably receives all the messages received by R (due to public 
transmission). Therefore, in each unsuccessful iteration, at least one faulty 
path is detected and thereby eliminated. Because of Pruning S'i’EP((b)&(c)) 
(see Fig. 0) the faulty path cannot occur in all the sets in A.^j th (S, R). This 
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The Transmission Protocol 

Inputs: m, <P(S,R), R )> Algorithm T (see Fig. 7) and A aaync . 

Stage 1: 

Code for S: 

Choose a random pad pef. Divide p into shares 3 using the AlgorithmT. Send (using A) each 
share cn on its corresponding path p» £ ^(S, R). 

Stage 2: 

Code for R: 

IF VA £ A&US, R), the same value t is reconstructed using T from shares in £ A} 

THEN Assign p := l and publicly send OK on all paths pi £ <P(S, R). 

ELSE Publicly send T on all paths pi £ ®(S, R). 

Stage 3: 

Code for S: 

IF OK received publicly in Step 2 
THEN Publicly send Z = p ® m to R. 

ELSE DO 

1. Receive T' = {ri, . . . , | } publicly and construct the set S rec d = {pi \ r[ /h} 

2. Define the set of faulty paths F = {pj \ oj ^ rfr'j £ T ' , pj £ S recd }. 

3. Publicly send F to R. 

4. Pruning Step : 

( a ) -A^UCS.R) — {(Ad..A k ) | (A d ,A e )£A^(S,R), FC A,,}. 

certainly not corrupted by the adversary. 

(b) G = {p|p£«(S,R),V(A Dl A B )£A^ 1 t „(S,R), p£A D }. 

Comment: Set G as the set of paths which we know are definitely corrupted. 

(c) Set <5(S, R) = (<P(S, R) \ G) and update A^JS, R). 

5. REPEAT the protocol with the modified inputs and a new pad p' £ T . 

Code for R: 

IF OK publicly sent to S in Stage 2 
THEN receive Z publicly and compute m = Z 0 p. 

ELSE Publicly receive F. Perform the PRUNING Step and locally modify A [ ^ th (S,R) and 
<P(S, R)- REPEAT the protocol with the modified inputs. 


Fig. 8. Perfectly Secure Transmission Protocol over Asynchronous Networks. 


would result in the elimination of at least one set from the path-adversary in 
each iteration, because of Pruning STEP(a). Hence, the algorithm will terminate 
in at most I^Cfc(S,R)| = \A\ iterations. □ 

Lemma 2 (Security). The protocol satisfies the resiliency and secrecy condi- 
tions for perfectly secure message transmission. 

Proof of Resilience: The proof of resilience is similar to the one for the 
synchronous case. All that we need to prove is that whenever R is able to suc- 
cessfully reconstruct a value of p', then p' = p, i.e., R always reconstructs the 
correct value. We know that the path adversary structure satisfies Q( 3 ’°) 0 

Exploiting the asynchrony of the network, the adversary can schedule the mes- 
sages on the honest paths in some An, where (Ao.Ae) £ A^j th (S. R) and 
corrupt messages in some other paths in A' D , where (A' D ,A' E ) e A^ r j th (S. R). 

7 The notation Q fk ’C } ias the same meaning as defined in 0. 
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By the definition of the corresponding access structure, there exists an access 
set Aa = V\ (An U A' n ). Clearly in our case, the messages R receives through 
these paths are correct, i.e., they are the actual shares that S sent. Hence, se- 
cret reconstructed using the MSP and this access set will be p, the pad that S 
intended to send. R reconstructs the secret correctly if and only if the secrets 
reconstructed using all the sets in the access structure are the same. Hence, if 
R successfully reconstructs the secret, surely the reconstructed pad will be p. 

Proof of SECRECY:Let the secret message to be transmitted be m G T. We 
first observe that in each of attempted transmissions of a random pad p, the 
adversary cannot “access” the secret (by definition of a MSP). Moreover, each 
of the p used in an iteration is independent of all the previous pads and the 
message m. Let r £ T be a random field element. We claim that for any View 
V of A, V occurs with the same probability in a transmission of m as in a trans- 
mission of to' = m ® r. Consider the case when the transmission of the pad p is 
successful. For the transmission of p, s = [p, <pi, . . . , p e -i] while during the trans- 
mission of p ' , s' = \p', ip[,. . . , <p' e _i] . S sends Z = m@ p = m®(\x M x s T ) = 
(to © r) © (r © (A x M x s T )) = (to') ® (A x M x s' ) = to' ® //. □ 

Lemma 3 (Communication Complexity). Each iteration of the protocol 
communicates polynomial in ( n + |M|) bits. 

PROOF: From Theorem^ it is clear that total number of paths used in the trans- 
mission protocol is polynomial in the size of A. In Stage 1 of every iteration, 
we have, S sends 0(|4>(S,R)|) field elements to R. In Stage 2, R replies with 
0((|<£(S,R)|) 2 ) field elements. Since size of <£(S,R) is polynomial in the size of 
A, the communication complexity of the protocol is polynomial in the size of 
the input. □ 

8 Conclusion 

Network synchrony is a very difficult primitive to achieve in real-life, and more 
so in the presence of Byzantine faults in the system. This work initiates and 
completely characterizes the minimum connectivity requirements for secure com- 
munication over completely asynchronous networks (see Table GJ. Furthermore, 
the choice of generalized mixed adversaries has meant that the necessary and 
sufficient conditions for secure communication over incomplete asynchronous net- 
works for a variety of adversarial settings is studied in an unified manner and 
expressed in one-shot. The study of information-theoretically secure communi- 
cation is far from closed. We have not considered the third kind of fundamental 
faulty behaviour, viz. fail-stop faults. Another open thread yet to be explored is 
to suitably adapt the protocols to (more practical) settings with lower amounts 
of synchrony though not completely asynchronous. Such networks are called par- 
tially synchronous networks. Yet another interesting setting is one in which the 
players possess only a partial knowledge of the topology of the network. More 
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Table 1. Necessary and sufficient connectivity requirements for the possibility of 
secure communication between any two honest players over arbitrary asynchronous 
networks. 



Perfect security 

Unconditional security 

Unconditional 
with Broadcast 

Threshold Adversary 

max(t a , t p ) + 2i a + 1 [13] 

max(t a , t p ) + 2t a + 1 

2 t a +t p + 1 

Generalized 

Adversary 

(yT 3 '°> & A' 2 ' 1 )) 

(A< 3 >°> & A* 2 ’ 1 !) 

(A' 2 ' 1 )) 


realistic adversary models are worth exploring and will have repercussions not 
only to the secure communication problem but also in the field of secure mul- 
tiparty computation. Extant adversary models characterize a deviant player as 
either an honest player or a dishonest player. However, in real-life players being 
“fairly honest” and “slightly dishonest” makes sense. Viewing the honesty of the 
players with this fuzzy outlook is worth exploring. Furthermore, among the ef- 
ficiency considerations, it would be worth investigating the direct-sum question 
with respect to the communication as well as randomness complexities. More- 
over, our protocols (for the perfect security case) are based on perfect linear 
secret schemes. This work does not investigate the deployment of non-linear 
secret sharing schemes that may prove to be more efficient (see P). 
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Abstract. SHACAL is a 160- bit block cipher based on the hash stan- 
dard SHA-1, as a submission to NESSIE. SHACAL uses the XOR, mod- 
ular addition operation and the functions of bit-by-bit manner. These 
operations and functions make the differential cryptanalysis difficult, i.e, 
it is hard to find a long differential characteristic with high probability. 

But, we can find short differential characteristics with high probabilities. 

Using this fact, we discuss the security of SHACAL against an ampli- 
fied boomerang attack. We find a 36-step boomerang-distinguisher and 
present attacks on reduced-round SHACAL with various key sizes. We 
can attack 39-step SHACAL with 256-bit key, and 47-step SHACAL with 
512-bit key. In addition, we present differential attacks of reduced-round 
SHACAL with various key sizes. 

Keyword: SHACAL, Amplified boomerang attack, Boomerang-distin- 
guisher 

1 Introduction 

SHACAL is a 4-round block cipher (each line consists of 20 steps.) designed by 
H. Handschuh and D. Naccache and is one of the accepted NESSIE submissions. 
SHACAL was designed by using the hash standard SHA-1 in encryption mode 
for the first time in 2000. Also, H. Handschuh and D. Naccache introduced a 
modification|^ of SHACAL in its two versions SHACAL-1 and SHACAL-2 in 
2001. In its basic version, SHACAL-1 is a 160-bit block cipher based on SHA-1 
and in its extended version, SHACAL-2 is a 256-bit block cipher based on SHA- 
2. In this paper, we only attack reduced-round SHACAL-1. We will just call 
SHACAL-1 as SHACAL. 

The main cryptanalytic results obtained on SHACAL so far are the analysis 
of the differential and linear attacks by the algorithm designers P], and statistical 
evaluation by J. Nakahara Jr0. In 0, the algorithm designers proposed 10-step 
linear approximations with bias 2 -6 in rounds 1,2 and 4 respectively, and a 10- 
step linear approximation with bias 2 -5 in round 3. Also, they proposed a 10-step 
differential characteristic with probability 2“ 13 in rounds 1 and 3, and a 10-step 
differential characteristic with probability 2 -26 in rounds 2 and 4. Using these 10- 
step linear approximations and differential characteristics, they concluded that a 
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Table 1. Our result of attacks on reduced-round SHACAL 


| Master Key 

Steps 

Methods 

| Data 

Time || 

128-bit 

28 

Amp. Boo. 

2 VZl.X> 


128-bit 

30 

DC 

2 11U 

2' s - i 

160-bit 

37 

Amp. Boo. 

2 IS».S 

2 »/.s 

160-bit 

32 

DC 

2 141 

2 1U5 

256-bit 

39 

Amp. Boo. 

2 15S.5 

2™“ 

256-bit 

34 

DC 

2 i4i 

2L iM 

512-bit 

47 

Amp. Boo. 

2 158.5 

2 SU8.4 

512-bit 

41 

DC 

2 i4i 

2 4ai 


linear attack with less than 2 80 known plaintexts is not applicable to full-round 
SHACAL, and that a differential attack with less than 2 116 chosen plaintexts is 
not applicable to full-round SHACAL. 

In this paper, we propose a 10-step differential characteristic with probabil- 
ity 2“ 12 in rounds 2 and 4. This characteristic has much higher probability than 
one proposed by the algorithm designers. Using this characteristic, we describe a 
36-step boomerang-distinguisher. We use this boomerang-distinguisher to devise 
amplified boomerang attacks on reduced-round SHACAL with various key sizes. 
Moreover, we present a differential attack and compare the results of an ampli- 
fied boomerang attack with those of a differential attack. Table Q] summarizes 
attacks on reduced-round SHACAL with respect to master key sizes. Amplified 
Boomerang attack is denoted by Amp. Boo. in Table Q and a time complexity 
of n means that the time of an attack corresponds to performing n encryptions 
of the underlying cipher. 

2 Preliminaries 

2.1 Description of SHACAL 

SHA is a hash function which was introduced by the American National Insti- 
tute for Standards and Technology in 1993, and is known as SHA-0. In 1995, a 
minor change to SHA-0 was made, this variant known as SHA-1. The standard 
now includes only SHA-1. SHACAL is a 160-bit block cipher based on the hash 
standard SHA-1. Description of SHACAL 0 is as follows. 

Notation: 

f : Addition modulo 2 32 of 32-bit words. 

- ROTi(X): Rotate 32-bit word X to the left by i-bit positions. 

- ®: Bitwise exclusive-or. 

— &: Bitwise and. 

— |: Bitwise or. 

The procedure to encrypt a message is as follows. 
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1. Insert the 160-bit message X(= Xl||X 2 ||X 3 ||Xi||X 5 ) where each A is a 
32-bit word in the 32-bit words, A 0 . B 0 . C'o, D 0 , E 0 , by 

A 0 = Xi, B 0 = X 2 , C 0 = X 3 , D 0 = X 4 , E 0 = X 5 . 

2. Encrypt the 32-bit words, A 0 , B 0 ,Co, D 0 , E 0 in a total of 80 steps. So, we 
have a ciphertext, Ago, B 3 q, Cgo, Acn Ego- Encryption process of the i th step 
is as follows. 

Ai = Ki + ROT 5 (Ai_i) + AA-i, A-i, A- 1) + A- 1 + Vi 

Bt = Ai_ i 

Ci = ROT 3 o(Bi_ i) 

A = A-1 
Ei = A-i 

for i = 1, • ■ • , 80, where 

fi(B,C,D) = (Bk,C)\(-^Bk,D), (1 < i < 20) 

fi(B, C,D) = B®C®D, (21 < i < 40, 61 < i < 80) 

fi(B,C,D ) = {BbC)\(BbD)\(CbD), (41 < i < 60) 


We call each ft as fif (1 < i < 20), f xor (21 < i < 40, 61 < i < 80), and 
fmaj (41 < i < 60), respectively. Each A is a 32-bit subkey of the i th step. Each 
constant y,; is defined as 


= 5a827999 3; , 
= 6ed9ebal x , 
= 8flbbcdc x , 
= ca62cld6 x , 


(1 <i< 20) 
(21 <i< 40) 
(41 < i < 60) 
(61 <i< 80) 


The key scheduling of SHACAL takes a maximum 512-bit key and shorter 
keys may be used by padding the key with zeros to a 512-bit string. However, 
SHACAL is not intended to be used with a key shorter than 128 bits. Let the 
512-bit key string be denoted K = [A||A|| • • • ||Ae]j where each A is a 32-bit 
word. The key expansion of 512 bits K to 2560 bits is defined by 


A = J?OTi(A- 3 ffi A-s ® A-14 © A-ie), (17 <i< 80) 


2.2 Amplified Boomerang Attack 

The amplified boomerang attackjOJ is a chosen plaintext attack, while the boo- 
merang attack 0 is an adaptive chosen plaintext and ciphertext attack. The 
main idea of the amplified boomerang attack is to use two short differential 
characteristics with high probabilities instead of a long characteristic with low 
probability. 
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Let a block cipher E : {0, l}"x {0, l} fe —> {0, 1}" be composed of a cascade 
E = Ei o Eq. We assume that for Eq there exists a differential characteristic 
a —> 0 with probability p, and for E 4 there exists a differential characteristic 
7 — > S with probability q, where pq X> 2 _ ”/ 2 . 

The amplified boomerang attack is based on building quartets of plaintexts 
(Xi . X‘2 , X 3 . X 4 ) which satisfy several differential conditions. Assume that X 4 © 
X 2 = a and X :i © X 4 = a. We denote by X{,X 2 ,X 3 ,X 4 the encrypted values 
of Xj.X 2 . X 3 ,X 4 under E 0 respectively, and by X",X 2 , X", X 4 the encrypted 
values of X 2 , X' 3 , X A rmder E\ respectively. We are interested in the cases 
where X[ © X!>= X ' 3 © X ' 4 = /? and X[ © X^ = 7 (or X[ © X' A = 7 ), as in 
these cases X ' 2 © X A = (X^ © f 3 ) © (Xg © /3) = 7 (or X 2 @ X ' 3 = 7) as well. 
If the output difference of Ei becomes S when the input difference is 7, i.e 
X" © X" = X” © X'l = S (or X" © X” = X" © X" = S), a quartet satisfying 
all these differential conditions is called a right quartet. An description of such 
a quartet is shown in Fig.QJ 

If we have m pairs with difference a, we can calculate the fraction of the right 
quartets among all the quartets generated by m pairs. First, we have about 
mp pairs satisfying a differential characteristic a — > p for Eq. The rnp pairs 
generate about {mp ) 2 / 2 quartets consisting of two such pairs. Assuming that 
the intermediate encryption values distribute uniformly over all possible values, 
we get X'i © X 3 = 7 or X[ © X 4 = 7 with probability 2 _n+1 . Second, for the 
{{mp) 2 / 2 ) • 2~ n+1 quartets satisfying above differential conditions, we can get 


I * 1 






Fig. 1. Boomerang-Distinguisher 
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right quartets with probability q 2 by the characteristic for E 1 . Therefore, the 
expected number of right quartets is about m 2 • 2~ n ■ ( pq ) 2 . 

For a random permutation, the expected number of right quartets is about 
to 2 • 2 -2n (= (to 2 / 2) • 2~ 2n+1 ). Therefore, if pq > 2 - ”/ 2 and to is sufficiently 
large, we can have a boomerang-distinguisher which distinguishes between E 
and a random cipher. 

3 Amplified Boomerang Attacks on SHACAL 

We describe the differential properties of two operations and three step functions 
used in SHACAL. We find a 36-step boomerang-distinguisher of SHACAL using 
these properties and attack reduced round SHACAL. 

3.1 Differential Properties for SHACAL 

We present two differential properties used in generating a differential charecter- 
istic of SHACAL. What generates a differential probability on SHACAL is 
first, the use of both XOR and modular additions, and second, the functions 
fifJxarJmai. 

First, we consider the relation between XOR differences and modular ad- 
dition. Let X, Y and X* , Y* be 32-bit words. We assume Z = X + Y and 
Z* = X* + Y*. If the words X and Y only differ in the position of bit i 
(0<i< 31), we denote by X CD Y = where the most significant bit (left) 
is a bit of position 31. Then, we have the following four relations 0 between 
XOR differences and modular addition. In the relations 3 and 4, the j indicates 
0 < j < 30. 

1. If X ® X* = e 3 i and Y = Y*, then it holds Z ® Z* = e 3 i with probability 1. 

2. If X ® X* = e 3 i and Y ([)Y* = e 3 i, then it holds Z = Z* with probability 1. 

3. If X® X* = ej and Y = Y*, then it holds Z®Z* = e :l with probability 1/2. 

4. If X® X* = ej and Y ®Y* = ej, then it holds Z = Z* with probability 1/2. 

Second, we consider differential probabilities for the functions /,;/ , f xor , f ma j- 
These functions operate in the bit-by-bit manner. Thus, we can regard each 
as a boolean function assigning from a 3-bit input to a 1-bit output. Table 0 0 
shows distribution of XOR differences through all three functions. The notation 
of the table is as follows. The first three columns represent the eight possible 
differences in the one-bit inputs, x, y, z. The next three columns indicate the 
differences in the outputs of each of the three functions. In the last three columns, 
a ‘0’(‘1’) means that the difference will always be zero(one), and a ‘0/1’ means 
that in half of the cases, the difference will be zero and in the other half of the 
cases, the difference will be one. 

3.2 The 36-Step Boomerang-Distinguisher 

Using the differential properties shown in the previous subsection, we describe 
two differential characteristics which make a boomerang-distinguisher for SHA- 
CAL. That is, the first differential characteristic is a -A (3 with probability 
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Table 2. The XOR differential distribution table of the /-functions 


\x 

y 

~*1 

Ur 

ks 

fmaj 

0 

0 

0 

0 

0 

0 

0 

0 

1 

1 

0/1 

0/1 

0 

1 

0 

1 

0/1 

0/1 

1 

0 

0 

1 

0/1 

0/1 

0 

1 

1 

0 

1 

0/1 

1 

0 

1 

0 

0/1 

0/1 

1 

1 

0 

0 

0/1 

0/1 

1 

1 

1 

1 

0/1 

1 


p (= 2 -45 ) from steps 1 to 21, where the differences a = (0, e22, eis, eio, es) 
and (3 = (62,7,14,24,29, eig, ei 2 , e 7 , e 2 ) where e^, indicates ® • ■ ■ ® e ik . The 
second differential characteristic is 7 -> <5 with probability q (= 2 -31 ) from steps 
22 to 36, where the differences 7 = (ei, 5, 8, ei, 3, 5, 63,43, ei, 5,13,31, ^ 6 , 10, 13, 31) and 
5 = (eg, 19, 29, 31, 614,29, 67,29, e2, 629). Table Elshows the first differential character- 
istic composed of 21 steps. In Table E) the first row indicates an input difference 
of the 1 st step, and the second column of the i th step indicates an output differ- 
ence of the i th step, and the third column of the i th step indicates the probability 


Table 3. The first differential characteristic for SHACAL 
[Step] A4 AB AC AD AE [fhdb] 
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Table 4. The second differential characteristic for SHACAL 

[step i ; ab ;; _m _ ad _jm 



with which an output difference of the ( i — l) th step becomes an output differ- 
ence of the i th step. Note that the function fa is used from steps 1 to 20, and 
the function f xor is used at the 21 th step. We can easily check probabilities in 
Table 0 using the differential properties on SHACAL. Thus, we have the first 
differential characteristic a — > /3 with probability p (= 2 -45 ) from steps 1 to 21 
shown in Table 0 

Table 0 shows the second differential characteristic composed of 15 steps. 
Note that the function f xor is used from steps 22 to 36. Similarly, we can have 
the second differential characteristic 7 — > (5 with probability q (= 2 -31 ) from 
steps 22 to 36 shown in Table 0 

Two differential characteristics above can be regarded as extended ones for 
10-step differential characteristics with high probabilities respectively. That is, in 
the first differential characteristic, the good 10-step characteristic is (0,es,ei,0,0) 
—>■(69,64,629,0, 0) with probability 2 -13 from steps 9 to 18, and in the second 
differential characteristic, the good 10-step characteristic is (0,61,3,66,31,0,63,6,31) 
—>(614,29,69,31 ,e2,e29,0) with probability 2 -12 from steps 26 to 35. Especially, 
the 10-step characteristic from steps 26 to 35 has much higher probability than 
one proposed by algorithm designers j3|. Also, if we extend the differential char- 
acteristics in Table EB to more steps, hamming weights in the differences of the 
five words become much bigger and the probabilities decrease rapidly. In the 
heuristic point of view, we conjecture that the 36-step boomerang-distinguisher 
using two differential characteristics in Ta.hle HEI is one of the longest boomerang- 
distinguishers such that pq^$> 2“ 80 for SHACAL. 
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3.3 Attack Procedure 

We present here amplified boomerang attacks on reduced-round SHACAL with 
various key sizes. We now present a method to use the 36-step boomerang- 
distinguisher to find subkey material. 

Let S = Ef o E = Ef o Ei o E 0 be reduced-round SHACAL such that E 0 
indicates from steps 1 to 21, and E\ indicates from steps 22 to 36. We find 
the subkey material of Ef in S'. The first differential characteristic a — > /3 used 
in E q has the probability p (= 2 -45 ) and the second differential characteristic 
7 — > 8 used in E\ has the probability q (= 2 -31 ). The differences a, d, 7 and 8 are 
presented in the subsection l3.2l So, we have the 36-step boomerang-distinguisher 
with probability pq (= 2 -76 ) from steps 1 to 36. 

For to = 2 157 - 5 pairs with the input difference a , the expected number of 
right quartets is 8 (= (2 157 5 ) 2 • 2 -160 • (2 -76 ) 2 ). From this fact, we can construct 
an algorithm to attack S with at least 160 bits key as follows. 

1 . Choose m(= 2 157,5 ) pairs with the input difference a. 

The expected number of possible quartets from the pool of to pairs is about 
to 2 (= 2 315 ). We denote the plaintexts of a quartet by (Pi, P 2 , Pi, P 4 ) where 
Pi 8 P 2 = P 3 ® P 4 = ol and the corresponding ciphertexts by {C\, C 2 , C 3 , C 4 ). 

2 . Initialize the counter array with 0 ’s. 

The number of the counter array is equal to the number of possible keys for 
Ef- 

3 . Check the differences C\ ® (73= C 2 ® C 4 = 8 ' where 8 ' is an element 
of the set composed of possible output differences for Ef with the 
input difference 8 (= (e 9 , 19,129,31, ei 4 ,29, £7,29, e 2 , e 29 )). 

4 . For all the quartets which passed the last test, increase the coun- 
ters by 1 which correspond to all subkeys Kf of Ef for which 
E fK f (Ci )® E Jx f (C 3 )= E£ f (C 2 )®EJ^ (C 4 ) = 6. 

5 . Check all counters, and output the subkey whose counter is greater 
than or equal to 7 . 

First, using this algorithm, we show that the reduced 39-step SHACAL with 
256-bit key can be broken by an attack which is faster than an exhaustive search 
for a master key. Since Ef consists of the 37 th , 38 th and 39 th steps, we can find 
the 96-bit subkey Kf. 

In Step 1, we have 2 315 quartets derived from 2 157 " 5 pairs with the difference 
a. For these quartets, we can filter out wrong quartets through Step 3. In Step 
3, we take 8 ' that belongs to the set {(?, ?, ?, e 7 ,i 7 , 2 7 , 2 9 , ei 2 , 2 7 )| ? is an arbitrary 
difference} composed of possible output differences for Ef with the input dif- 
ference 8 . So, we have 2 187 candidates for right quartets among 2 315 quartets, 
since a fraction of (2 -64 ) 2 of these quartets remain. In Step 4, we guess a 96-bit 
subkey Kf and decrypt ciphertexts of the remaining quartets for guessed key. 
If a decrypted quartet passes through Step 4, the counter of guessed key is in- 
creased by 1. So, the expected value of counter of right subkey is greater than 7, 
since the expected number of right quartets is about 8. But, for a wrong subkey, 
the expected value of counter is equal to 0 or 1, since the expected number of 


Amplified Boomerang Attack against Reduced-Round SHACAL 251 


quartets passed through Step 4 is 2 -5 (= 2 187 • (2 -96 ) 2 ). Thus, we can find the 
right key of Ef by the maximum likelihood method. The attack requires 2 158 - 5 
chosen plaintexts and processing equivalent to about 2 158 ' 5 • 2 96 • ~ 2 250 ' 8 

39-step SHACAL encryptions. 

Also, using the algorithm above, we can attack on reduced-round SHACAL 
with at least 256-bit keys. We assume that for i = 0, 1, • • • , 8, the reduced (39-M)- 
step SHACAL uses the (256 + 32 • i)-bit master key. Since Ef consists of (* + 3) 
steps, we can find the (32 • (i + 3))-bit subkey Kf for the reduced (39 + i)-step 
SHACAL by the algorithm above. Particularly, in the algorithm for the reduced 
(39 + sQ-step SHACAL (i > 2), there does not exist the filtering process (Step 
3) since we use the 36-step boomerang-distinguisher to attack. The attack for 
(39+*)-step SHACAL requires 2 158 - 5 chosen plaintexts and processing equivalent 
to about 2 158 - 5 • 2 32 '(*+ 3 ) . ^(< 2 252A + 32 " i ) (39 + i)-step SHACAL encryptions 
where i = 0, 1, • • • ,8. Thus we can attack the reduced 47-step SHACAL with 
512-bit key. Furthermore, we can attack on reduced-round SHACAL with less 
than 256-bit key except 128-bit key. In these cases, since the key sizes are small, 
the expected number of quartets passed through Step 3 (filtering process) should 
be less than 2 156 " 5 to attack reduced-round SHACAL faster than the exhaustive 
search. Thus, we can attack the reduced 37-step SHACAL with 160-bit key and 
the reduced 38-step SHACAL with 192- or 224-bit master key. The attack for 
37-step SHACAL requires 2 158 ' 5 chosen plaintexts and processing equivalent to 
about 2 2 -2 315 -2 _256 -2 32 -i ~ 2 87 - 8 37-step SHACAL encryptions, and the attack 
for 38-step SHACAL requires 2 158 ' 5 chosen plaintexts and processing equivalent 
to about 2 2 • 2 315 • 2“ 192 • 2 64 • ^ ~ 2 184 8 38-step SHACAL encryptions. 

In the case of 128-bit key, we cannot use the above 36-step boomerang- 
distinguisher since the number of required plaintexts should be less than 2 128 . 
So, we must find a new boomerang-distinguisher with probability pq which is 
higher than 2 -45 - 5 (= {2 3 - (2 — 127 ) 2 -2 160 )} 1 / 2 ). We can find a 26-step boomerang- 
distinguisher with probability 2 -45 from steps 1 to 26. We can attack on 28- 
step SHACAL. Since differential attack which is described in the next section is 
applied to SHACAL more effective than amplified boomerang attack, we omit 
the detailed explanation. See table [D for the result of an attack on SHACAL 
with 128-bit key. 


4 Differential Attacks on SHACAL 

In this section, we present differential attacks on reduced-round SHACAL. First 
of all, we describe two differential characteristics which are expanded from the 
21-step differential characteristic shown in Table 0 One is the 28-step differential 
characteristic a — > with probability 2 -107 from steps 1 to 28, the other is the 
30-step differential characteristic a — > T0 with probability 2 -138 from steps 1 

f}' = (eo, 2, 5, 16, 19, 20, 22, 25.27, e3, 7, 12, 14, 26, 29, 30, es, 10, 25, eg, 8, 12, 20, 27, eo, 3, 17, 25, 3o) 

e 8 ,10,25) 
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to 30. We can easily check probabilities of these differential characteristics using 
the differential properties on SHACAL. 

Using the 28-step differential characteristic, we show that the reduced 30- 
step SHACAL with 128-bit key can be broken by a differential attack which 
is faster than an exhaustive search for a master key. That is, we can find the 
64-bit subkey of the 29 th and 30 t/l steps. Note that these steps are denoted by 
Ef. Attack procedure is as follows. First, we ask for 2 109 pairs with the input 
difference a. Second, we check whether the output differences of these pairs are 
equal to (?, ?, eo,3, 13 , 17 , 18 , 20 , 23 , 25 , 30 , £ 1 , 5 , 10 , 12 , 23 , 27 , 28 , eg, 10 , 25 )- Since a fraction of 
2 -96 of these pairs remain, we have about 2 13 (= 2 109 • 2 -96 ) analyzed pairs. 
And then, we guess a 64-bit subkey of the 29 th and 30 th steps and decrypt the 
analyzed pairs using a guessed key. If a difference of decrypted texts is /3', the 
counter of a guessed key is increased. Since the signal-to-noise is extremely high, 
we can distinguish the right subkey in the key space. Thus, the attack requires 
2 110 chosen plaintexts and processing equivalent to about 2 14 • 2 64 • ~ 2 75 - 1 

30-step SHACAL encryptions. 

Also, we can attack on reduced-round SHACAL with at least 160-bit keys 
using the 30-step differential characteristic a — > /?". To attack successfully, we 
must ask for 2 140 pairs with the input difference a. The attack procedure is 
similar to that of reduced-round SHACAL with 128-bit key. Assume that for 
i = 0, 1, 2, 3, 4, the reduced (32 + i + 9{i))- step SHACAL uses the (160 + 32 • i)- 
bit master key. Here the controller 9(i) is defined as 0(0) = 0(1) = 0, 0(2) = 
0(3) = —1 and 0(4) = —2. Since Ef consists of ( i + 6(i) + 2) steps, we can find 
the (32 • ( i + 9(i) + 2))-bit subkey of the reduced (32 + i + 9{i))- step SHACAL. 
The attack for (32 + i + 0(i))-step SHACAL requires 2 141 chosen plaintexts and 
processing equivalent to about 2 141 • 2 -3&ftM-0(i)) • 2 3*(»-HW+2) . 
2 iO6+64.i+640(i)) (32 + i + 0(j))-step SHACAL encryptions where i = 0, 1, 2, 3, 4. 
( 2 - 32 -(3-i-0(j)) j g a £ rac tion of the analyzed pairs among all of the pairs.) The 
reason to exist the controller 0(i) is that we decrypt only analyzed pairs for a 
guessed key. 

Also, for reduced-round SHACAL with at least 320-bit key, we can attack 
without the process of filtering out. Assume that for j = 0, 1, • • • , 6, the reduced 
(35 + j)-step SHACAL uses the (320 + 32- j)-bit master key. Since Ef consists of 
(j + 5) steps, we can find the (32- (j + 5))-bit subkey for the reduced (35+j)-step 
SHACAL. The attack for (35 + j)-step SHACAL requires 2 141 chosen plaintexts 
and processing equivalent to about 2 141 • 2 32 U+5) . ^j(< 2 299 + 32 b) (35 + j)- 
step SHACAL encryptions where j = 0, 1, • • • ,6. Thus, we can attack 41-step 
SHACAL with 512-bit key. 

5 Conclusion 

SHACAL has short differential characteristics with high probabilities and long 
ones with low probabilities. From this fact, we could find a 36-step boomerang- 
distinguisher and attack reduced-round SHACAL with various key sizes. And we 
discussed the security of reduced-round SHACAL against differential cryptanal- 
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ysis(DC). In the comparison of an amplified boomerang attack and a differential 
attack, the latter is more efficient for SHACAL with a 128-bit key, but for SHA- 
CAL with other key sizes, the former is more efficient. 
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Abstract. Differential cryptanalysis analyzes ciphers by studying the 
development of differences during encryption. Linear cryptanalysis is 
similar but is based on studying approximate linear relations. In 1994, 
Langford and Heilman showed that both kinds of analysis can be com- 
bined together by a technique called differential-linear cryptanalysis, in 
which the differential part creates a linear approximation with proba- 
bility 1. They applied their technique to 8-round DES. In this paper 
we present an enhancement of differential-linear cryptanalysis in which 
the inherited linear probability is smaller than 1. We use this exten- 
sion to describe a differential-linear distinguisher for a 7-round reduced- 
version of DES, and to present the best known key-recovery attack on 
a 9-round reduced- version of DES. We use our enhanced technique to 
attack COCONUT98 with time complexity 2 33 ’ 7 encryptions and 2 27 ' 7 
chosen plaintexts. 

1 Introduction 

Differential cryptanalysis |2] analyzes ciphers by studying the development of 
differences during encryption. Linear cryptanalysis mi is similar but is based 
on studying approximate linear relations. 

In 1994, Langford and Heilman HH showed that both kinds of analysis can 
be combined together by a technique called differential-linear cryptanalysis, in 
which the differential part creates a linear approximation with probability 1. 
Using their new technique they have succeeded to analyze up to 8-round reduced 
variants of DES m using only 512 chosen plaintext in a few seconds on a 
personal computer. This attack is so far the best known attack on 8-round DES0 
The differential-linear technique was later applied to analyze the IDEA ci- 
pher |0| : a reduced version of IDEA was analyzed by a differential-linear attack 
in 0, and differential-linear weak keys of the full IDEA (along with a related-key 
differential- linear attack on reduced IDEA) were found in 0. It was also shown 
that the ciphertext-only extension of differential and linear cryptanalysis works 
also with differential-linear cryptanalysis p| ■ 

* The work described in this paper has been supported by the European Commission 
through the 1ST Programme under Contract IST-1999-12324. 

1 Prom now on we will use the shorthand r-round DES for an r-round reduced version 

of DES. 
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Langford and Heilman’s technique is an example for devising the “distin- 
guisher” used in the attack as a combination of two much simpler parts; in this 
case a combination of a differential characteristic and a linear approximation. 
Such combinations were later used in other kinds of cryptanalysis, e.g., crypt- 
analysis using impossible differentials |4I3| (miss in the middle), and boomerang 
attacks 1151 . both use combinations of differential characteristics. 

In this paper we present an extension of differential-linear cryptanalysis in 
which the linear probability induced by the differential characteristic is smaller 
than 1. We use this extension to describe a differential- linear distinguisher for 
7-round DES, and then present a differential-linear key-recovery attack on 8- 
round and 9-round DES. This extension can attack DES with up to 10 rounds, 
where the 9-round variant of the attack is by far the best known attack against 
9-round DES. We also apply the technique to the full COCONUT98. 

This paper is organized as follows: In Section El we describe Langford and 
Heilman’s differential-linear attacks. In Section 0 we present our differential- 
linear extension. In Section 0 we present the distinguishing attack on 7-Round 
DES. In Sections 0 and El we present the key recovery attacks on 8-Round and 
9-Round DES, respectively. In Section □ we present a key recovery attack on 
COCONUT98. Finally, Section 0 summarizes the paper. 

2 Differential-Linear Cryptanalysis 

Langford and Heilman show that a concatenation of a differential char- 
acteristic and a linear characteristic can be performed. They select a 3-round 
characteristic of DES, which predicts the differences of a few bits after three 
rounds with probability 1 (the probability for the whole block difference after 
three rounds is much lower). So, given a pair of plaintexts with the required 
plaintext difference, they know the difference of a few bits after three rounds for 
certain. They use a 3-round linear approximation for rounds 4-6. If the difference 
in the intermediate data before the linear approximation can be predicted, then 
we can obtain information about the parities. More precisely, if the difference in 
the input subset can be predicted, then we know whether the input subset parity 
in both encryptions is the same or differ. As the linear approximation predicts 
the output subset parity, we can now predict whether the output subset parities 
of the two ciphertexts are more likely to be the same or not. Fortunately, they 
found differential and linear characteristics in which the subset required for the 
parity is predicted with probability 1 by the differential characteristic. Thus, the 
differential characteristic actually tells them the difference of the two parities. 
Both difference and parity are linear operations (they both use XOR) . Thus, the 
two linear approximations in rounds 4-6 in both encryptions can be combined 
into a six-round approximation of rounds 

6x-5i-4i-differential-4 2 -52-62 , 

where the subscript denote whether the round is in the first encryption or the 
second, and “differential” refers to the differential combiner that ensures that 
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the parities of the data before round 4 in both encryptions are always equal (or 
always differ). 

This enlarged linear characteristic has twice as many rounds as the origi- 
nal, thus its probability is much closer to 1/2 than the original. However, it is 
still usable, and in various cases it leads to the best known attacks against the 
analyzed cipher, as in the case of the differential-linear attack on 8-round DES 
described by Langford and Heilman. 

The differential-linear distinguisher is based on encrypting many pairs with 
some known input difference. Each pair is encrypted, and the output subset 
parity is computed for both ciphertext. The fraction of times when the two 
parities are agree differ from 1/2 for a good differential-linear characteristic. 
Thus, it can be used to distinguish the cipher from a random permutation. A 
key recovery attack can be mounted using standard techniques (guessing the 
following round subkey, etc.). 

3 Our Differential-Linear Extension 

We observed that in the above approximation 

6 1 -5 1 -4 1 -different ial-42 -5 2-62 

all the rounds are approximated with probabilities which may be different than 
1/2 ± 1/2, except for the connection by the differential characteristic, which has 
probability 1. 

From now on, we use notations based on m for differential and linear 
cryptanalysis, respectively. In our notations fip, ftp are the input and output 
differences of the differential characteristic, and \p, At are the input and output 
subsets (denoted by bit masks) of the linear characteristic. 

In this paper we propose using a differential connection with fractional prob- 
abilities. Let the probability of the linear characteristic be denoted by 1/2 + q, 
and the probability of the differential characteristic be denoted by p' (in the case 
of Langford and Heilman, p' = 1 and q = 0.195). 

Given the probabilities of the differential characteristic p' , we approximate 
the linear probability 1/2+p of the relations of the parities of the subsets of bits 
A p between both encryptions (in the particular case of pf = 1 certainly p = 1/2 
as in Langford and Heilman’s analysis), and then compute the probability of 
the total relation (from the last round of the linear characteristic through all its 
rounds backward in the first encryption, through the differential approximation 
of the parity, through the linear characteristic in the second encryption to its 
last round). This probability is computed by the usual rule for probabilities of 
concatenation of linear characteristics. Thus, the total probability is 

l/2 + 4p<? 2 . 

Note that the differential probability p' is the probability for the expected 
difference in the required subset of bits, which is usually different (higher) than 


Enhancing Differential-Linear Cryptanalysis 


257 


the probability of the differential characteristic with the full block output dif- 
ference, so the best characteristic for our purposes may be different than the 
best ordinary characteristic. For example, in Langford and Heilman’s case the 
characteristic predicts with probability 1 only 36 bits of the 64 bits of the output 
difference; these 36 bits include all the 5 bits of Xp. Given an ordinary differential 
characteristic with probability p n , we know that the full block output difference 
Qt appears with probability p n , and that with probability 1 —p n the difference 
is different. When considering only the subset of bits in Xp, the probability of 
the characteristic on these bits becomes p' . The probability 1/2 +p can now be 
approximated by 

1/2 + p » p' + (1 - p')/ 2 = 1/2 + p'/ 2, 

assuming that the parity in the rest of the cases is uniformly distributed. This 
assumption is not necessarily accurate, for example, there might be other high- 
probability differential characteristics with the same plaintext difference, but 
with different (or same) parity of the subset of bits of the difference. Thus, this 
approximated probability should be verified by the designer of an attack, and if 
possible, he should perform a more accurate computation of the probability, or 
check it experimentally. 

It is worth mentioning that the attack works even if the differential char- 
acteristic predicts that there are differences in some of the bits in the sub- 
set Xp. All we need is to know the parity of the differences of the bits in 
X P (rather than fixing the differences to 0). For example, assume that Qp = 
10?0?0 67 801176711a; (where the ? denotes an unpredicted hex digit) and as- 
sume that Xp = 00 00 08 D7 00 00 00 01a,. Then, the 8 bits selected by X P are 
known in Qp, of which 5 have value 1 and 3 have value 0. Therefore, the ex- 
pected parity of the differences of the two runs is Qp ■ Xp = 1. Note that even if 
Qt ■ Xp is unknown but constant, the attack still succeeds. 

4 A Distinguishing Attack on 7-Round DES 

We now present an attack that distinguishes whether a cipher (given in a form of 
a black box) is a 7-round DES, or a random permutation, using the differential- 
linear technique. We use the following 4-round extended differential characteris- 
tic with probability pn = 14/64 = 0.21875, which is an extension by one round 
of the 3-round characteristic used by Langford and Heilman. This extended char- 
acteristic is presented in Figure GJ 

The 3-round differential was concatenated with the 3-round linear approxi- 
mation with probability 1/2 + 0.195 presented in Figure 0 This 3-round linear 
approximation is also the best 3-round linear approximation for DES. 

We use our 4-round differential characteristic to build a distinguisher with a 
probability of 1/2 + p ~ 1/2 + 14 ^ 64 ps 1/2 + 0.109 (recall, that for a random 
permutation this value is 1/2). This approximation assumes that the behavior of 
the remaining fraction of 1 — 14/64 = 50/64 of the pairs induces uniform linear 
distribution. We have verified the value of p experimentally, and confirmed this 
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(where V 6 {1, . . . , F x }, W € {0,8}, X € {0,8}, Y £ {0,2}, Z e {0,2}, M £ 
{0, . . . , 7}, and any ? is any arbitrary value) 

Fig. 1. The Extended 4- Round Differential Characteristic Used in Our Distinguisher 


probability using hundreds of different keys, and millions of encrypted pairs. The 
linear characteristic has probability 1/2 + q = 1/2 + 2(=^) 2 ss 1/2 + 0.195. The 
total probability of the approximation is thus 

1/2 + 4 pq 2 = 1/2 + 4 • 0.109 • 0.195 2 = 1/2 + 0.0167 = 1/2 + 2“ 5 ' 91 . 

The distinguishing attack is as follows: 

1. Select N = 2 1181 plaintext pairs with the plaintext difference 
fip = 00 80 82 00 60 00 00 00^. 

2. Request the ciphertexts of these plaintext pairs (encrypted under the un- 
known key K). 

3. For each ciphertext pair, compute the parity of the bits masked by At = 
21 04 00 80 00 00 80 00 x in each of the plaintexts, and count for how many 
pairs both parities are equal. Let the number of such pairs be denoted by m. 
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1/2+ 1/2 


1/2- 


Fig. 2. The 3-Round Linear Approximation Used in [TO] 


4. If 


(i.e., m > 2 10 - 81 + 2 4 91 ) conclude that the cipher is 7-round DES. 
5. Otherwise, conclude that the cipher is not 7-round DES. 


The parameters N and e are selected as to maximize the success rate of the 
attack while requiring the lowest data complexity. For N = 2 1181 and e = 2 -6 90 
the attack succeeds with probability higher than 84.13%, and has data and time 
complexities of 2 12 81 . 

We point out that unlike most linear attacks (and most differential-linear 
attacks) it suffices in this case to test whether ^ \ + e rather than whether 

| ™ — 1/2 1 > e. This follows from the fact that in this specific attack the bias is 
always positive and is unaffected by any key bit (as all the affected key bits are 
used twice and thus cancelled). 

In order to show that for these parameters we get this success rate we use 
the following statistical reasoning (see [ 1 3j i : For a random permutation each pair 
behaves randomly, and thus in half of the pairs the two parities of the subset of 
the ciphertext bits are equal. Therefore, the number of equal parities behaves 
like a binomial random variable X ~ Bin(2 11,81 , 1/2). It is easy to see that such 
random variable can be approximated according to the normal distribution, and 
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thus we conclude that the probability that this random variable (counting the 
number of pairs with equal parities) is higher than 2 10 - 81 + 2 4 91 is at most 
15.87%. We conclude that for a random permutation the probability that the 
above algorithm outputs ‘this is a random permutation’ is 84.13%. 

Repeating this analysis for 7-round DES with X ~ Bm(2 1L81 , 1/2 + 2 -5 - 91 ) 
the probability that the algorithm outputs ‘this is a random permutation’ is 
15.87%. 


5 A Key Recovery Attack on 8-Round DES 

This attack can be extended to a key-recovery attack by adding one round for 
the analysis, and using the 7-round distinguisher, as follows 

1. Select N = 2 13 ' 81 plaintext pairs with the plaintext difference 
Q P = 00 80 82 00 60 00 00 00*. 

2. Request the ciphertexts of these plaintext pairs (encrypted under the un- 
known key K). 

3. Initialize an array of 64 counters to zeroes. 

4. For each ciphertext pair 

(a) Try all the 64 possible values of the 6 bits of the subkey K 8 that enter 
the S Box SI in round 8. 

(b) For each value of the subkey, compute the output of SI in the last round, 
and use its output to compute the parity of the subset of bits in At after 
round 7. Now we can compute the output subset parity, as we know 4 of 
the subset bits from the ciphertext, and the remaining one from the the 
output of 51 and the ciphertext. 

(c) If the parities in both members of the pair are equal, increment the 
counter in the array which relates to the 6 bits of the subkey. 

5. The highest entry in the array should correspond to the six bits of K8 
entering SI in round 8. 

6. The rest of the key bits can be recovered by auxiliary techniques. 

For N = 2 13 81 this attack succeeds with probability 77.27% or more. The 
complexity of the attack is 2 14 - 81 • 2 6 /64 = 2 14 ' 81 time (in units of 8-round DES 
encryptions; 2 6 subkeys tried, each trial takes about one S box computation out 
of the 64 S boxes of a full encryption), requiring 2 14 ' 81 chosen plaintexts. 

6 A Key Recovery Attack on 9-Round DES 

Similarly, the attack can be extended to 9 rounds by analyzing two rounds in 
addition to the 7-round distinguisher. 

In this case we use the slightly modified differential characteristic presented 
in Figure El 

This characteristic is similar to the original, except that its first round is 
replaced. This replacement is done to reduce the number of active S boxes in the 
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Fig. 3. The Modified 4-round Differential Characteristic Used in the 9-Round Attack 


round preceding the characteristic. This characteristic induces a linear probabil- 
ity of 1/2+p = 1/2+0.09375 (again, we experimentally verified this probability). 
With this change, the 7-round distinguisher with 84.13% success rate would re- 
quire N = 2 12,25 pairs (for e = 2 -713 ). 

To mount a 9-round key recovery attack, we set the differential and linear 
characteristics combination at rounds 2-8, and analyze rounds 1 and 9. 

The attack is as follows 

1. Select N = 2 15 - 75 plaintexts, consisting of 2 6 75 structures, each is chosen by 

selecting: 

(a) Any plaintext Po 

(b) The plaintexts Pi,- ■■ ,P255 which differ from Po by all the 255 possible 
subsets of the eight bits masked by 18 22 28 28 00 00 00 00 x (these are the 
output bits of S6 and S8 in round 1). 

(c) The plaintexts -P 256 , • ■ • , -P 511 selected as 
Pi = Pi-256 © 40 00 00 00 00 00 02 02 x . 
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2. Request the ciphertexts of these plaintext pairs (encrypted under the un- 
known key K). 

3. At this stage we do not know which pairs in the structure have the difference 
fip before round 2. Instead, we guess these pairs by trying all the possible 
values of the 12 bit of the subkey K1 which enter S6 and S8. 

4. For each value of the 12 bits of K1 entering S6 and S8 

(a) Partially encrypt S6 and S8 in the first round of each plaintext and find 
the pairs which satisfy the difference ftp before round 2 (assuming the 
guessed value is correct) 

(b) Given all the pairs, apply the 8-round attack on these pairs (the attack 
is on the 8 rounds from round 2 to round 9). 

5. Each trial of the key gives us 12 + 6 = 18 bits of the subkeys (12 bits in 
round 1 and 6 bits in round 9), along with a measure for correctness (which 
is the number of times it is suggested in the 8-round attack). The correct 
value of the 18 bits is expected to be the most frequently suggested values 
(with over 88.80% success rate). 

6. The rest of the key bits are then recovered by auxiliary techniques. 

Note that due to the mass of 2 12 applications of the 8-round attack, and the 
need to identify which application uses the correct guess of the 12 bits of the first 
subkey, we need more data than for a single application of the 8-round attack. 

This attack requires 2 15 ' 75 chosen plaintexts, and finds the key in time 2 15,75 ■ 
2 12 -2 6 -3/72 s» 2 29 17 (in units of 9-round DES encryptions). This time complexity 
of this attack can be further reduced using auxiliary techniques and reordering 
of the operations. 

7 Attack on COCONUT98 

We can use our results to present the best known attack against the CO- 
CONUT98 block cipher. COCONUT98 is a 64-bit blocksize 256-bit keysize block 
cipher, that was designed using the decorrelation theory ra- 
il* cipher is composed of 4 Feistel rounds, a decorrelation module, and 4 
additional Feistel rounds. The decorrelation module is M(xy) = (xy © K 5 K®) x 
K 7 K s mod GF(2 64 ), where x,y are the 32-bit data word, xy denotes their con- 
catenation. K rj . Kq, K 7 .K% are four 32-bit values supplied by the user key, and 
where K 7 Kg ^ 0. The multiplication is over the finite field GF(2 64 ) defined by 
the polynomial a; 64 +X 11 +x 2 +x+ 1 over GF( 2). Note that the exact underlying 
polynomial has no effect on our results. The Feistel rounds can be described as 
follows: 

cj){x) = x + 256 • S{x mod 256) mod 2 32 
F ki (x,y) = {y, x ® cj)(ROLn((t>(y ® fc*)) + c mod 2 32 )) 

where c = B 7 El 51 62 x is a known constant and ki is the round subkey. 

In [Ej a 4-round differential (of the Feistel rounds) with probability 0.83 ■ 2 -4 
was introduced. It was commented that the expected difference that enters the 
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Fig. 4. A 3-round Linear Approximation of COCONUT98 with Probability 1/2+0.0364 


decorrelation module leads to some fixed but unknown difference after the decor- 
relation module. We denote this differential by C2coconut9&- Thus, ^coconuts 8 
is a differential with probability p = 0.83 • 2~ 4 for the first 4 Feistel rounds and 
the decorrelation module. Note that we have no idea what the output difference 
of &COCONUT 9 8 is. Still, this does not interfere with our analysis, as we men- 
tioned before. In case that the subset Xp of bits of this output difference has an 
odd number of active bits (i.e., the scalar product Xp ■ Or is 1), then there are 
going to be more disagreements on the output parity then agreements, and the 
linear bias would be negated, without affecting the analysis. 

In Figure 0 we present a linear approximation for 3 Feistel rounds of CO- 
CONUT98. This approximation has a probability 1/2 + q = 1/2 + 0.0364. 

We can now use Ocogonut<98 concatenated to the 3-round linear approxi- 
mation to present a distinguisher for the entire COCONUT98 but the last round. 
The distinguisher has a bias of 4 pq 2 « 1/3638. Note that we do no know whether 
the bias is in favor of having the same parity, or having complement parities (as 
we have no idea what the output of the differential is; this output depends on 
some key that we do not know), but this does not stop us from attacking the 
cipher. 

The attack retrieves subkey bits of the last round. As the only unknown value 
in the equation of the parities is the least significant bit of the right half after 
the 7th Feistel round (just after the approximation), we need to determine the 
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least significant bit of the output of the function F in the last round. As this 
bit is unaffected by the second </>, and as the addition of the constant c does not 
change it (the least significant bit of the constant c is 0), then it is unchanged 
after the rotate left operation. In this operation we actually need to know bit 

21 before the rotate. In order to determine this bit, we need to know the lower 

22 bits that enter the first <f>, and we conclude that we need to know the 22 
lower key bits in the last round. As guessing these 22 key bits can be very time 
consuming, we try to look for more efficient solutions. We can approximate (with 
very high probability) the true value of the relevant bit, by knowing the output 
of the S-box in the first </> (i.e., look at the 8 lower subkey bits) and to bits of 
the subkey from bit 21 and downward. Considering only to subkey bits causes a 
mistake in a fraction of 2~ m of the cases. As this mistake appears uniformly and 
affects all trials similarly, we actually get a bias of 4 pq 2 ■ (1 — 2 -m+1 ). For the 
value to = 7 this bias is 1/3700. A slight improvement of the bias to the value 
4 pq 2 = 1/3638 can be performed by discarding some mistaken data. 

Our attack counts over these 7+8 = 15 subkey bits using the following algo- 
rithm: 

1. Initialize 2 15 counters. Each corresponds to a different last round subkey. 

2. Encrypt N pairs with the required input difference. 

3. For each 15-bit subkey subkey value partially decrypt all ciphertext pairs 
and check whether the parities of the subsets are equal or different. For each 
ciphertext pair increment the counter of the subkey in case of equality. 

4. Look for the counter with the maximal bias from N/2 (i.e., |counter— N/2\ 
is maximal), and suggest the related subkey as the right subkey. 

The time complexity of this algorithm is 2 N encryptions and 2 • 2 15 • N addi- 
tional last round activations (and 2 16 additional memory accesses, which we 
omit). Hence, the total running time of the algorithm is 2 16 • N/8 = 2 13 • N 
COCONUT98 encryptions. 

We now determine N. We associate the right key counter with the random 
variable X, and each of the 2 15 — 1 wrong subkeys with its own random variable 
Yi. We assume that all of these variables have a normal distribution and that X ~ 
N(N/2 + N/ 3700, JV/4) and that Vi : Yi ~ N(N/2, N/4). For N = 8/(l/3700) 2 , 
the success rate of the attack is at least 75.46%. Thus, we conclude that we need 
N = 8 • 3700 2 = 2 26 7 pairs (2 27 - 7 chosen plaintexts), and time complexity of 
2 39 ' 7 COCONUT98 encryptions. 

The rest of the key can be found with auxiliary techniques using other dif- 
ferentials and linear approximations with a negligible additional time and data 
complexities. 

We can reduce the time complexity of the attack by observing that we are 
actually interested in 15 bits of the ciphertext. In the above analysis we perform 
the same operations for the same values many times. Using a precomputed table 
(which requires 2 15 • 2 15 = 2 30 last round activations to compute) we can reduce 
the time complexity of the attack to 2 39 7 memory accesses, which are equivalent 
to at most 2 33 7 COCONUT98 encryptions. 
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8 Summary and Conclusions 

In this paper we presented an extension of differential-linear cryptanalysis that 
allows using a differential characteristic with probability lower than 1. We showed 
that this extension can attack DES reduced 7, 8, and 9 rounds. The latter is the 
best known method against 9-round DES. 

This attack can be extended to analyze the 10-round reduced-variant of DES 
with time complexity about 2 50 and using about 2 20 chosen plaintexts. 

We also presented the fastest attack on the full COCONUT98. Our attack 
requires about 2 27 - 7 chosen plaintexts and time complexity of about 2 33 7 CO- 
CONUT98 encryptions. Previous results EE3 required 2 16 adaptive chosen plain- 
texts and ciphertexts and 2 38 COCONUT98 encryptions. 

We summarize our results along with previously known results in Table 0 


Table 1. Summary of Our Results and Previously Known Results 


Cipher 

Attack 

Complexity 

Success 



Data 

Time 

Rate 

8-round DES 

Differential |3 

2 14 CP 

2 9 

53% 


Linear [TTj 

2 18 KP 

2 25 

49.4% 


Linear [TTI 

2 19 KP 

2 26 

93.2% 


Differential-Linear jTTTj 

512CP 

2 14 

80% 


Differential-Linear fDj 

768CP 

2 14 ' 6 

95% 


C.P. Linear Cryptanalysis 0 

2 16 CP 

2 23 

51% 


C.P. Linear Cryptanalysis || 

2 17 CP 

2 24 

94% 


Enhanced Differential-Linear - this paper 

2 14 ' 8 CP 

2 14 ' 8 

77.3 % 

9-round DES 

Differential |2j 

2 24 CP 

2 32 

99.97% 


Enhanced Differential-Linear - this paper 

2 15 ' 8 CP 

2 29 ' 2 

88.8% 

COCONUT’98 Boomerang [03 

2 le ACPC 

2 38 

99.96% 

(full cipher) 

Enhanced Differential-Linear - this paper 

2 27 ' 7 CP 

2 33.7 

75.5% 

Complexity is 

measured in encryption units. 





CP - Chosen Plaintexts, KP - Known Plaintexts 
ACPC - Adaptive Chosen Plaintexts and Ciphertexts 
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Abstract. Several recently proposed ciphers, for example Rijndael and 
Serpent, are built with layers of small S-boxes interconnected by linear 
key-dependent layers. Their security relies on the fact, that the classical 
methods of cryptanalysis (e.g. linear or differential attacks) are based on 
probabilistic characteristics, which makes their security grow exponen- 
tially with the number of rounds N r . 

In this paper we study the security of such ciphers under an additional 
hypothesis: the S-box can be described by an overdefined system of al- 
gebraic equations (true with probability 1). We show that this is true 
for both Serpent (due to a small size of S-boxes) and Rijndael (due to 
unexpected algebraic properties). We study general methods known for 
solving overdefined systems of equations, such as XL from Eurocrypt’OO, 
and show their inefficiency. Then we introduce a new method called XSL 
that uses the sparsity of the equations and their specific structure. 

The XSL attack uses only relations true with probability 1, and thus the 
security does not have to grow exponentially in the number of rounds. 
XSL has a parameter P, and from our estimations is seems that P should 
be a constant or grow very slowly with the number of rounds. The XSL 
attack would then be polynomial (or subexponential) in N r . with a huge 
constant that is double-exponential in the size of the S-box. The exact 
complexity of such attacks is not known due to the redundant equations. 
Though the presented version of the XSL attack always gives always 
more than the exhaustive search for Rijndael, it seems to (marginally) 
break 256-bit Serpent. We suggest a new criterion for design of S-boxes 
in block ciphers: they should not be describable by a system of polyno- 
mial equations that is too small or too overdefined. 

Key Words: Block ciphers, AES, Rijndael, Square, Serpent, Camellia, 
multivariate quadratic equations, MQ problem, overdefined systems of 
multivariate equations, XL algorithm, Grobner bases, sparse multivariate 
polynomials, Multivariate Cryptanalysis. 
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1 Introduction 

On October 2nd, 2000, NIST has selected Rijndael as the Advanced Encryption 
Standard. Serpent was second in the number of votes Q. 

In the famous paper from 1949, Claude E. Shannon states that breaking a 
good cipher should require “as much work as solving a system of simultaneous 
equations in a large number of unknowns of a complex type”, see |25| . This 
seemed very easy to achieve so far, as solving systems of equations can become 
intractable very easily. Though every cipher can be described in terms of solving 
multivariate equations over GF( 2), it does not mean that it can be broken. In 0 
the whole AES is represented by one single equation with 2 50 terms. Such a big 
equation has undoubtedly no consequences whatsoever on the security of AES. 
Recently however surprising attacks appeared in public key cryptography: the 
cryptanalysis of Matsumoto-Imai cryptosystem PH) by Patarin and the attack 
on the basic version of HFE cryptosystem by Courtois 0 . In these attacks the 
security collapses suddenly after discovering the existence of additional multi- 
variate equations, that are not obvious and have not been anticipated by the 
designers. The subject of this paper is to see if such a weakness can compromise 
the security of a block cipher. For example, we show that the cryptanalysis of 
Rijndael and Serpent reduces to solving a big system of Multivariate Quadratic 
equations (a.k.a. MQ problem). Unlike in jS], MQ is a problem already known 
in cryptography that underlies the security of multivariate public key schemes 
such as HFE jTTJj . In {22I23I| Shamir et al. show that though MQ is NP-hard, its 
complexity drops substantially when the MQ becomes overdefined (more equa- 
tions than unknowns) 0 . In this paper we show that if the MQ is sparse and have 
a regular structure, it becomes even much easier. Such will be the MQ systems 
we will write for Rijndael and Serpent ciphers. 

Since the pioneering work of Luby-Rackoff iia. there were many develop- 
ments on the security of top-level schemes of block ciphers. The state of art in 
both security proofs and generic attacks for Feistel ciphers can be found in m 
and CHI However, Rijndael is not a Feistel cipher and a more powerful theory 
has been developed by Vaudenay to make security proofs against a large 
class of attacks including linear and differential cryptanalysis, for an arbitrary 
type of cipher. Prom this theory Moriai and Vaudenay developed security proofs 
for idealized versions of several AES candidates 1271 . The outcome for Rijndael 
was somewhat strange: the cipher should have > 384 rounds in order to make 
sure it was secure. Similar results were obtained for Serpent. Therefore, it is not 
completely unreasonable to believe, that the structure of Rijndael and Serpent 
could allow attacks with complexity growing slowly with the number of rounds. 
In this paper, it seems that we have found such an attack. It depends however 
more on algebraic properties of the S-boxes than on the structure of the cipher, 
and potentially, it can probably be extended to any block cipher. 

The paper is organized as follows: First we describe a general class of ciphers 
that includes Rijndael and Serpent. Then we explore algebraic properties of 

1 Solving MQ in the opposite case of underdefined systems, has been studied in (5j . 
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their S-boxes and show that they can be described by an overdefined system of 
equations. Consequently, we formulate their cryptanalysis in terms of solving an 
overdefined system of quadratic equations. Though the general XL attack fails, 
we will present an improved method called XSL. It does not yet break Rijndael 
or Serpent but it gives definite conclusions about the design of block ciphers. 

2 Substitution-Affine Ciphers, Rijndael and Serpent 

According to Shannon’s paradigm E5J> a cipher is combination of some confusion 
and diffusion components. For example, SP-networks szma are combinations of 
S-boxes with permutations of bits. More generally, we may allow linear or affine 
functions of bits, not only permutations of wires. We will call it a SA-cipher. In 
m Shamir and Biryukov study general top-level structural attacks against the 
SA-ciphers. These attacks will not depend on particular S-boxes used. 

In the present paper we use specific properties of the S-boxes. We specify a re- 
stricted class of SA-ciphers called XSL-ciphers. Though our attacks are designed 
for XSL-ciphers, it is obvious that they can be easily extended to all SA-ciphers, 
and even to other block ciphers (including Feistel ciphers), provided that they 
use (only) somewhat “bad” S-boxes and have a regular periodic structure. 


2.1 XSL-Ciphers and the Notations We Use 

By definition, an XSL-cipher is a composition of N r similar rounds: 

X Before the first round, the input is XOR-ed with the key K 0 . Let i = 1. 

S Then a layer of B bijective S-boxes, on s bits each, is applied in parallel. 

L Then a linear diffusion layer is applied. 

X The result is XOR-ed with another session key K,. 

.. If i = N r , the final result is produced. 

Otherwise i is incremented and the process goes to the step S. 

We denote the key bits used in an XSL-cipher by the variables K,j j with i = 0..N r 
and j = There are N r + 1 session keys, Kq is the first and Kjy r is the 

last. The number of key bits before expansion is H k , the number of key bits 
after expansion is E k , and the number of expanded key bits that are linearly 
independent is L k . If we pick some subset of L k key variables K, j that form a 
basis, then we will denote by [ Ki j] a linear expression of this bit Ki j as a sum 
of the other K k / that are in the basis. 

We call Xj, j the jtli bit of the input of ith round S-boxes layer, step S (taken 
after the previous XOR with the session key X). We denote by Y) j the jth bit 
of the input of the linear part L of ith round (taken after the S-box application 
S). Similarly let Zi j be the jth bit of the output of the step L (before the next 
key XORing step X). Consequently we will denote the plaintext by Z 0 and the 
ciphertext by Wy r +i , however these are constants, not variables. To summarize 
we have: 
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Step: X S 

L X 

... S LX 

Values: Z 0 Xi Yi 

Zi x 2 

X Nr Y Nr Z Nr X Nr+1 


With these notations we obtain Xj+i j = Z t j © K, 3 for all i = 0 ..N r . 


2.2 Top-Level Structure of Rijndael 

Rijndael specified in 0, is a special type of XSL-cipher with s = 8 and B = 
4 Nf,. We will not give a full description of it, but will recall all the essential 
facts when necessary. Rijndael has N r = 10 . . . 14 rounds. The data in Rijndael 
is represented as rectangular “states” that are composed of jV& columns, each 
having the size of 4 S-boxes (4s = 32 bits). We have either Nf, = 4, 6 or 8, which 
gives block sizes of 32 Nb = 128, 192 and 256 bits respectively. The encryption 
in Rijndael is performed as follows: 

X The input sequence Zq j is XOR-ed with the session key K 0 j. Let i = 1. 

S Then resulting sequence Xj j is transformed by B = 4iV& S-boxes on s = 8 
bits each. 

L Then resulting sequence Y* j is then subject to a composition of two linear 
transformations. First we have a permutation of bytes called ShiftRow, then 
four linear transformations MixColumn:GF(256) 4 — > GT(256) 4 applied in 
parallel for each of JV& columns. 

If i = N r (the last round) we have only ShiftRow, the MixColumn is omitted. 
X Then resulting sequence Z* j is XOR-ed with another session key I\, pro- 
ducing, either the ciphertext (if = N r ), or the process increments i and goes 
to step S. 

The (unexpanded) key length is Hk = 32 Nk bits with Nk = 4, 6 or 8, thus again 
128, 192 and 256 bits respectively. It is then expanded to Ef . = (N r + l)B.s = 
(N r + 1 )N b - 32 bits. 

2.3 Top-Level Structure of Serpent 

Serpent described in [IJ is an XSL-cipher with s = 4, B = 32 and N r = 32. The 
block size is always 128 bits. The key length can be Hk = 128, 192 or 256 bits, 
and is also expanded to Ek = (N r + 1 )Bs = 1056 bits. 

3 S-boxes and Overdefined Algebraic Equations 

The only non-linear part of XSL-ciphers are the S-boxes. Let the function F : 
GF(2) S — > GF(2) S be such an S-box, given an input x = (xi..x a ) we obtain 
an output y = (yi..y s ) = F(x). In Rijndael and Serpent, like for all other 
“good” block ciphers, the S-boxes are build with “good” boolean functions. 
Among the known criteria on cryptographically “good” boolean functions, we 
know that yi should have a high algebraic degree in the x t . However, this does 
not assure that there is no other “implicit” multivariate equations of the form 
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P(x i , ... ,x s ,yi, ... ,y g ) that are of low algebraic degree. We will show that for 
Rijndael, and for Serpent, for very different reasons, a great number of such 
equations exist. We are interested in the actual number r of such equations 
P(x i, . . . , x s , 3/i , . . . , y s ), being of low degree d, e.g. d < 2. Unlike for “explicit” 
equations yi = f(x\, x s ), this number r can be bigger than s. We are also 
interested in the total number of monomials t that appear in these equations, 
counted including the constant term. With these notations: 

• In general, t sa Q) . If t -C Q) , we say that the equations are sparse. 

• When r « s, the equations give enough information about the S-box, and the 
system will be sufficiently defined to yield about 1 solution x, given y = F(x'). 

Consequently, when r>s, the system is said to be overdefined. 


3.1 Quality of S-boxes and Random S-boxes 

When r is close to t, we may eliminate most of the terms by linear elimination, 
and obtain simpler equations that are sparse and maybe even linear. For this 
reason, it is possible to measure the quality of our system of equations by the 
ratio t/r > 1. If t/r is close to 1, the S-box is considered as “bad” . From this point 
of view, both overdefined systems (big r) and sparse systems (small t) will be 
“bad”. Otherwise, if the system is not overdefined and not sparse, t/r ss 0(s d ~ 1 ), 
and such an S-box will be “good” (unless s is very small). We will see that the 
actual contribution of the S-boxes to the complexity of the attacks described in 
this paper is approximatively F = ((f — r)/.s)^* _r ’ l ' / '^. It is possible to show that 
for a random S-box, the smallest value of F that can be achieved will be double- 
exponential in s. However it will be still relatively small for Serpent (s = 4). 
For different reasons, the Serpent and Rijndael S-boxes can both be described 
by overdefined systems with quite a small F. 


3.2 Overdefined Equations on the Serpent S-box 

We show that 4-bit S-boxes always give an overdefined system of quadratic 
equations. Consider a 16 X 37 matrix containing in each row the values of the t = 
37 monomials {l,a;i, .., £4, yi , .., 2/4, X\X 2 , ..,xiyi , .., 2/32/4} for each of the 2 s = 16 
possible entries x = (aq, .., £4). The rank of this matrix is at most 16, therefore 
whatever is the S-box, there will be at least r > 37—16 = 21 quadratic equations. 
This is a very overdefined system since 21 ^>4. We have t/r ~ 1.75 and F = 
((t — r)/s)^ t-r ^ = 2 8 - 0 . We note that a smaller t/r would be achieved with 
cubic equations on this S-box, but F would be much bigger then. It is also 
possible to consider bi-affine equations. In this case we have t = 25 and r > 
25 — 16 = 9 which is still overdefined, it gives the same value of F = 2 8 0 . 


3.3 Overdefined Equations on the Rijndael S-box 

For Rijndael we have s = 8. It is easy to see that with the method described 
above in Section i;i.2l a random S-box on 8 bits will give r = 0 because 2 s = 256 


272 Nicolas T. Courtois and Josef Pieprzyk 


is bigger than the number 137 of possible quadratic terms. We see that s = 8 
is quite big compared to Serpent: there are (2 s ) ! ss 2 1684 bijective S-boxes on 
8 bits, compared with only (2 4 )! fts 2 44 for s = 4. We don’t expect any useful 
properties to happen by chance. Still, the design of the Rijndael S-box induces 
a lot of algebraic structure, see EE- This yields very special properties. 

Rijndael S-box is a composition of the “patched” inverse in GF(256) with 0 
mapped on itself, with a multivariate affine transformation GF( 2) 8 —¥ GF( 2) 8 . 
Following Pj we call these functions g and / respectively, and denote S = / o g. 
Let x be an input value and y = g{ x) the corresponding output value. We also 
note z = S(x) = f(g(x)) = f(y). According to the definition of the S-box: 

Va; 5 ^ 0 1 = xy 

This equation gives, in turn, 8 multivariate bi-linear equations in 8 variables 
and this leads to 8 bi-affine equations between the x t and the Zj. It is possible to 
see that 7 of these equations are true with probability 1, and the 8th is true with 
probability 255/256. The existence of these equations for g and S is obvious. 
Surprisingly, much more such equations exist. For example we have: 


Since x 1-4 x 2 is linear, if written as a set of 8 multivariate functions, the above 
equation gives 8 bi-affine equations between the Xi and the y 3 . and, in turn, 
between the a q and the z 3 . Adding the fact that the above equation is symmetric 
with respect to the exchange of x and y, we get 16 bi-affine equations true with 
probability 1 between the x, and the Zj. 

From the above we have 23 quadratic equations between x^ and the Zj that 
are true with probability 1. We have explicitly computed these equations (see the 
extended version of this paper), verified that they are all linearly independent, 
and also that there are no more such bi-affine equation^. The number of terms 
present in these equations is t = 81. These terms are: {1, aq , . ... x%, z-i ..... z%. 
xizi, . . . ,xgzs}, and there is no terms xyxj or z l Zj. We get t/r « 3.52 and 
r w 2 22 9 , much more than for Serpent. 

An Additional 24th Equation: We observe that in Rijndael S-box, if x 
is always different than 0, there 24 linearly independent quadratic equations. 
For one S-box, the probability of this 24th equation to be true is 255/256. We 
are interested in probability that it is true for all S-boxes in the execution of 
Rijndael (i.e. we have x ^ 0 everywhere). As it has been already pointed out by 
the authors of |B|, this probability is quite big. It is in fact: 

(255 /256 ) 4 ' Nb Nr+4 ' Nte 1 +4- iw* =s • *] 

2 If we square the equation x = x 2 * y we obtain successively x 2 = x 4 *y 2 ,. . . . x 128 = 
x * y 128 . It can be seen that each of them also gives 8 bi-afBne equations. However, 
since the square is multivariate linear, each of them produces the same 8 equations, 
modulo a linear combination. 
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This gives between 1/2 for the smallest Rijndael 128 bits and about 1/9 for the 
biggest 256-bit version. Therefore, if an attack works better with 24 equations, 
and uses only one (or two) executions of the cipher it will be interesting to use 
r = 24 and repeat the whole attack a few times. Otherwise, we use r = 23. 

Fully Quadratic Equations: It is possible to see that if we consider fully 
quadratic equations, not only bi-affine, for each S-box of Rijndael there are 
r = 39 quadratic equations with t = 137. The additional 16 equations come 
from the following two equations: 



However, when r = 39, t = 137, we have T « 2 47 0 instead of 2 22,9 and we always 
obtained worse results in our attacks, than with r = 23, t = 81, 


About Inverse-Based S-boxes: In general, it is easy to see that if the S-box 
on s bits is an affine transformation of the inverse function in GF( 2 s ), then it 
will give 3s — 1 bi-affine equations true with probability 1, and one additional 
equation true with probability 1 — ^ . We conjecture for all s there are no more 
such equations (we verified this for several s). Up till now, it seemed a very 
good idea to use such S-boxes: the inverse function (and its affine equivalents) 
has meaningful optimality results with regard to linear, differential and high- 
order differential attacks, see J2lltij . However in our computer simulations, done 
for many permutations including all the possible powers in GF( 2 s ), the inverse 
(and its equivalents) was always the worse in terms of the number of such 
bi-affine equations. It is an open problem to find any other non-linear function 
GF( 2 s ) — > GF( 2 s ) that admits so many equations, for some s > 0. Therefore, we 
do not advocate to use such S-boxes even if they are probably still very secure. 

Related Work: The equations we have found for the Rijndael S-box are ex- 
actly of the same type and of very similar origin, as the equations that Jacques 
Patarin have discovered in 1988 for the Matsumoto-Imai cryptosystem Q2] • The 
existence of such equations for Rijndael S-boxes have been first discovered (but 
not published) by Courtois, Goubin and Patarin, as soon as Rijndael have been 
proposed as AES in 2000. Recently, in [H], Murphy and Robshaw pointed out 
that it is more interesting to manipulate equations over GF( 256). It leads to 
systems that are identical (or very similar) in terms of the number of equations 
and number of variables involved. However, the number of different monomials 
t present is lower, which is expected to give better results for our attacks. 

4 MQ Attacks on Block Ciphers 

Given an SA-cipher with S-boxes that can be described in terms of some algebraic 
equations, recovering the key can be written as a problem of solving a system of 
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such equations. If these equations are multivariate quadratic, we call this “the 
MQ attack”. Such equations exist for Rijndael and Serpent, as shown above in 
Sections ESI and ESI respectively. 


4.1 Attack Scenarios 

There are many ways in which the MQ attack can be applied. The system of 
equations should be constructed in such a way that it has exactly one solution. 
A system that has one solution on average is sufficient in practice, and if there 
are a few solutions, prior to the solving stage, we would guess and fix a few bits. 


First (General) Attack Ignoring the Key Schedule. This attack is de- 
signed for any XSL-cipher, whatever is the key schedule. For simplification we 
only consider the known plaintext attack. There axe (N r + 1) keys IQ that are of 
the same size as a plaintext, and we need enough equations to determine them 
uniquely. Hence we need (N r + 1) known plaintexts. This attack scenario will be 
used in Section El 


Second (Specific) Attack Using the Key Schedule. This attack is less 
general and relies on the fact that the key schedules in Rijndael and Serpent 
are very similar to the ciphers themselves: they use a combination of affine 
transformations and (the same) S-boxes. Due to the lack of space, we only study 
the first (more general) scenario and the second will be studied in a separate 
paper. 


Stronger Attack Scenarios. If attacks based on MQ are possible, i.e. there 
are efficient methods to solve quadratic equations, then they allow to attack 
block ciphers in very strong scenarios. For example ciphertext-only attacks will 
be possible if the attacker is able to characterize the redundancy of the plaintext 
in terms of quadratic equations. 


4.2 Direct MQ Attack on Rijndael and Serpent: 

It can be seen that in the second attack scenario, the problem of recovering 
the key of the 128-bit Rijndael, amounts to solving a system of 8000 quadratic 
equations with 1600 variables. See Appendix^] for details. Similarly, the 128-bit 
Serpent would give a system of (N r + 1 )Br + N r Br = 43680 equations with 
(N r + 1 )Bs + ( N r — 1 )Bs = 8192 variables. 

In the remaining part of the paper we study solving such (and similar) sys- 
tems of equations. Our results are given in Sections E2I and 0 
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5 Generic Methods 

for Solving Multivariate Quadratic Equations 

MQ is known to be an NP-hard problem 1231 . Several public key cryptosystems 
are based on MQ, for example HFE 111 111 . However, little is known about the 
actual hardness of MQ in practice. From the above it is clear that if this problem 
was very easy for 1600 variables, then Rijndael would be broken. With current 
attacks, factoring a 1600-bit RSA modulus provides a security level slightly lower 
than 2 128 [23J- Therefore, MQ should be at least as hard as factoring. 

5.1 Solving MQ with the XL Algorithm 

In (23 Shamir and Kipnis made an important discovery about the MQ problem: 
solving it should be much easier for overdefined system^. This idea has been 
developed and consolidated in m An algorithm called XL is developed for 
this problem. It seems that for a random system of quadratic equations over 
GF( 2) (or one that looks random) that has a unique solution, the XL method 
should always work (but maybe not for some very special systems). In [Til T.T. 
Moh states that “From the theory of Hilbert-Serre, we may deduce that the 
XL program will work for many interesting cases for D large enough”. From 
m it appears that XL would be polynomial for very overdefined systems, and 
it seems that a variant of XL might even be subexponential in general (not 
only for overdefined systems). However, very little is known about the actual 
behaviour of XL for very big systems of equations and one can only talk about 
conjectured complexities. 

5.2 First Attempt to Cryptanalyse Rijndael with XL 

For the 128-bit Rijndael with 128-bit key, following the Theorem IA. 3. II we get a 
system of m = 8000 equations with n = 1600 variables. Following the complexity 
evaluation of XL from (233 , the complexity would be about ( rl// y m ) W ~ 2 330 , 
assuming ui = 2.376, the best known Gaussian reduction exponent, see |3| 

This attack fails because for a random system of quadratic Ri n i = m = 8000 
equations with n = 1600 variables, we have about « n 2 / 2 « 2 20 terms. 
This gives Ri n i/Ti„i 2 -73 that is very small and the XL algorithm has to do 
extensive work in order to achieve an expanded system with R/T sa 1. It is easy 
to see that in our whole system T ini rs (8 • 32 + 8 • 32 + 8 + 32 + 8) (N r -4- A T b ) and 
this gives only Rini/T in i ss 2 -3 5 . Therefore there should be a better attack. In 
the next Section Ki.2l we will write the quadratic equations in a different way in 
order to achieve an even higher value of R.ini/T in i. 

6 XSL Attack on Block Ciphers 

In this section we will write a system of equations that describe uniquely the 
secret key of the cipher, following the first attack scenario from Section 14.1 1 that 

3 In this paper we will show that if the MQ is sparse, it is even much easier to solve. 
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does not depend on the key schedule. In order to solve these equations, we are 
going to introduce an improved version of the XL approach from El, that takes 
advantage of their specific structure and sparsity. We call it “the XSL algorithm” 
where XSL stands for: “extended Sparse Linearization” or “multiply(X) by 
Selected monomials and Linearize”. In the XL algorithm, we would multiply 
each of the equations by all possible monomials of some degree D — 2, see 1231 . 
Instead we will only multiply them by carefully selected monomials. It seems 
that the best thing to do, is to use products of monomials, that already appear 
in other equations. 

6.1 Final Step and Working Condition of the XSL Attacks 

In | 2 Hj . when R > T, we have as many equations as the number of terms that 
appear in these equations and the big system is expected to be solved by adding 
a new variable for each term, and solving a linear system (doing this is known 
as linearization). There is no need to have R much bigger than T. because 
obviously, the number of linearly independent equations (denoted later by Free , 
cannot exceed T. In the original paper about XL the system was solved 
when T— Free was a small number. Still it is easy to see that both XL and XSL 
algorithms can be extended to the case when T — Free is very big (!). 

Let xi be a variable, and let T' be the number of terms that can be multiplied 
by x\ and still belong to the set of T terms. Now we assume that Free > 
T — T' + C with a small C. We apply the following algorithm called “the T' 
method” . 

1. By one single gaussian elimination we bring the system to a form in which 
each term is a known linear combination of the terms in T' . 

2. We do the same pre-computation two times, for example with T' defined for 
x-[ and separately for X 2 - 

3. In each of the two systems, we have a subsystem of C equations that contain 
only terms of T' . These new equations are probably not of the same kind 
that the initial equations generated in XL-like attacks: only combining all 
the equations one can obtain some information about the solution. 

4. In each of the two subsystems of exceeding C equations, we multiply each 
equation by x\ and x^, respectively. Then we substitute the expressions from 
point 1 in these to get some other equations that contain only terms of T', 
but for the other variable. These equations are expected to be new and 
different. First because the equations from point 2 are believed to contain 
“some information” about the solution, and moreover if we are over GF( 2) 
we will interact with the equation of the field GF(2) that is not necessarily 
done elsewhere. We have done some computer simulations that show that 
this heuristic works very well. See also Appendix fHl for an example. 

5. Thus, if at the beginning Free > C + T — T' we can “grow” the number of 
equations. For now we expect to up to 2(7 additional equations. 

6. We expect that the number of new equations grows at exponential rateQ. 

4 However, even if it grows by 1 each time, the attack will work as predicted. 
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7. If the initial system had a unique solution, we expect that we will end up 
with Free = T or Free = T — 1. 

8. For each equation containing only terms in T’, the cost to compute a derived 
additional equation will be about T' 2 . Since there are T' equations missing, 
we expect to do about T' 3 additional operations in the attack, which can 
probably be reduced to T ,u and thus will be smaller than T“. 

9. If the whole attack fails one should try with another couple of variables in- 
stead of x\ and x%, or use three variables from the start (and three systems). 
We conjecture that three variables should always be sufficient. The number 
of possibilities grows very fast with the number of variables, a new equation 
obtained with one variable can be immediately transformed and expanded 
with all the other variables. 

For example, in our attack on Rijndael 256 bits given in Section I7T1 we have 
T » 2 125 and V k, 2 114 . The attack is expected to work as long as Free > T—V. 

6.2 Core of the XSL Attacks 

In this version of the XSL attack we assume that the system of equations for 
each S-box is overdefined and r > 2s. Let S be the total number of S-boxes in 
our attack. Since we are going to use the most general attack scenario described 
in H.ll that ignores the key schedule of the cipher, we will have to consider N r + 1 
executions of the cipher, see Section IPI S will be equal to 
S = B ■ N r (N r + 1). 

Equations on the S-boxes and Their Multiples 

Let A be an S-box of a XSL-cipher, called “active S-box”. We write: 

0 = £ a ijk Xi jYi k + £ /JyX* j + £ 7 ijYi | + 8. 

The total number of terms (i.e. all monomials including the constant) that 
appear in these equations is small, only t (most of them of the form X. L jYi k )- 
For this reason (unlike in Appendix^) we use both the original variables Xj j 
and Yi k - 

We will not use these equations directly, but we will, from these equations, 
and separately for each S-box, choose some t — r terms as a basis, and write the 
expression of each of the remaining r terms as a linear combination of the (r — t) 
terms for the same S-box. We will choose a basis such that all the terms Xj j and 
Yi j are not in the basis and such that 1 is in the basis. This is possible because 
r > 2s. Each time, in the attack we want to use one of the other r terms, we 
will directly write them as the linear combination of the elements of the basis. 
We define [Xj 3 -[ and [Yj j] as precisely these linear combinations of the (t — r) 
elements of the basis. 

Note: This can be called “a compact version of the first XSL attack.” A 
different approach is possible that uses all the t terms for each S-box (and later 
their products). This gives different results and will be studied in a separate 
paper. 
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Products of Terms 

The critical parameter of our attack will be P G IN. We will manipulate products 
of up to P terms that come from P different S-boxes. The total number of terms 
used in the attack is about: 



Moreover, we have (see the definition of T' given in Section 16. 1 1 above) : 



with t' < t being the number of terms in the basis for one S-box, that can be 
multiplied by some fixed variable X i: j, and are still in the basis. For example 
for Rijndael we use r = 23, t = 81, and get t! = 9. 

6.3 Equations on the Diffusion Layers 

We will construct a set of equations in such a way that they can be multiplied 
by many products of terms, and that all the resulting product can be written 
using only the products of up to P terms, that are taken in the respective bases 
we have chosen for P different S-boxes. We will get equations that are linear 
combinations of the T monomials, as defined above. It seems that the best way 
to attack our problem is to completely eliminate all the key variables and write 
all possible equations of the form: 



The expressions [X { 3 ] and [Y, t ;j \ have been defined above, they are linear 
combinations of quadratic terms that are the elements of the basis. 

We have N r (N r + such equations. Each of these equations, called 

“active equation”, will be multiplied by products of terms for some ( P — 1) 
“passive” S-boxes. Here we need to exclude the terms for a few neighbouring 
S-boxes (i.e. that have common variables with the active equation), it does not 
change a lot the number of equations generated. The number of new equations 
is called R. It is approximatively: 


R « N r (N r + 1 )(Bs) • ( t - r) p_] 



6.4 Expected Complexity of the XSL Attack 

The goal of the attack is to obtain R> T — T ' . It gives: 


p-i 



Ss (t - r)‘ 


'S- 
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5 2 s ^ (t-r)S „ 

S-P + l P 

We will assume that P S (S is usually quite big) and thus S — P + 1 ~ S. 


( t - r ) t' 

S > „ ~ 

P S 


t' 



(t~r) 

P 


We see that this condition can always be satisfied, if P is sufficiently big. We 
get that: 



Note: From this it might seem that the XSL attack will work for r = 0, 
however we have previously assumed that r > 2s. Therefore r = 0 is not possible. 

Let T w , be the complexity of the Gaussian reduction, the complexity of the 
attack is about: 


r) “ P (p) W * (t~rr P (B‘N?f P * 


Now let us apply the estimation (#). In practice the value ^ will be very small, 
and vanishes for big ciphers (big N r or big B). Therefore we assume that P = 
+ o(l). It gives the following (rough) estimation of the complexity of the 
XSL attack on block ciphers, again assuming that r > 2s: 

WF « ^ 3 1 -(Bs-N?)" r*S®1 


WF = r u ■ (Block size)“ 6 3 (Number of rounds) 2 ^ 8 

This is polynomial in the block size and the number of rounds. The constant 
part depends on r that depends only on the parameters of the S-box used in 
the cipher, and is in general double-exponential in s, see Section HI For a given 
cipher the constant part P w in the complexity of XSL will be fixed (but usually 
very, very big). 


6.5 Actual Complexity of the XSL Attacks 

In the above derivation we assumed that all the equations in R are linearly 
independent and this implies that for some fixed P the attack will always work 
for any number of rounds. From our early simulation^! it seems that the attack 
works for many rounds and then it fails. Thus P would rather increase (but 
slowly) with the number of rounds. 

6 See, the second XSL attack, preliminary version, 

http : / /eprint . iacr . org/2002/044/ 
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If P were constant, for a fixed S-box that have many overdefined equations, 
the XSL attack will be polynomial in the number of rounds. Even if P grows 
slowly, and XSL is subexponential, it would be already an important break- 
through, as the complexity of the classical attacks on block ciphers, such as 
linear or differential cryptanalysis, grows exponentially in the number of rounds 
(and so does the number of required plaintexts). 

In fact there is another way to see that there is a risk that the problem to 
break Rijndael might be subexponential when the number of rounds grows. In- 
deed, in this paper we show how to write Rijndael as an overdefined system of 
quadratic equations, with size that is linear in N r , see Appendix^ The problem 
of solving such a system of quadratic equations over GF( 2) might already be 
subexponential using the original XL algorithm from |23|. See Section [A .41 for 
more comments on this. Finally, our equations from AppendixElare also overde- 
fined, sparse and have a lot of structure, which also should help the attacker. 

7 Consequences of the XSL Attack 

7.1 Application to Rijndael 

We consider the 128-bit Rijndael with 256 bit keys. We have N b = 4. N k = 
8, N r = 14, s = 8, r = 23, t = 81, t! = 9, S = 3360, then for P=(t- r)/(s + t'/S) 
= 8, computed following (#), we get T w 2 125 ,T' » 2 114 ,R « 2 125 with 
t r t , = 1.106. The result is: 

r£bJ ^ 2298 

This version of the XSL attack fails also for other variants of AES. We expect 
that much better results should be obtained with the combination of the second 
XSL attaclP, with equations over GF (256) as proposed by Murphy and Robshaw 
m- It is not excluded that even AES-128 could be broken: for N b = 4, N k = 
4, N r = 10, s = 8, r = 24, t = 41, t' = 4, S = 201, our early estimation gives that 
for P = 3 we have T rs 2 36 ,T" « 2 27 , R « 2 36 ,R' » 2 33 , and = 1.01. If this 
attack worked as well as expected^, the resulting complexity would be T u sa 2 87 . 

7.2 Application to Serpent 

For 256-bit Serpent, we have IV r = 32, s = 4, r = 21, t = 37, t' = 5, S = 33792. 
Then for P = (t - r)/(s + t'/S ) = 5, we get T « 2 88 , V = 2 74 , R = 2 88 , = 

1.25. The result is: 

rpU) ^ 2210 

It seems that the XSL attack breaks 256 bit Serpent. Though it is obtained with 
the fairly theoretical w = 2.376 from [3j- using Strassen’s exponent we still get 
2 245 . It is however not proven that the attack will work as predicted for P = 5. 
Though XSL attacks will probably always work for some P, we considered the 
minimum value P for which T R T , > 1. This condition is necessary, but probably 
not sufficient. A small change (e.g. increase by 1 or 2) in P would lead to a 
dramatic overload in the complexity, going beyond the exhaustive search. 
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7.3 Consequences for the Design of Block Ciphers 

There are two complementary approaches in the block cipher design that could 
be seen in the AES contest. Either a cipher is designed with a very small number 
of rounds that are very complex (for example in DFC), or it has a large number 
of rounds that are very simple (for example in Serpent). In m the authors warn 
that: “an attack against Serpent may hold for any set of (random) S-boxes”. It 
seems that we have found such an attack and using many layers of very simple 
S-boxes is maybe not such a very good idea. Still, a correct choice of parameters 
will prevent the attacks. 

For different reasons, the XSL attack is also applicable to all ciphers in which 
the only non-linear part is the inverse function in GF(2 S ), with a small s. There- 
fore, ciphers such as Rijndael and Camellia should either use s that is sufficiently 
large, maybe s > 8, or consider different S-boxes. This last possibility should 
give new optimal designs of S-boxes, not only close to optimal in terms of linear 
and differential attacks, but also incorporating our new criterion, i.e. having a 
big value of T, for example T > 2 32 . 

Even if the attacks of the present paper have not yet been tested on really 
big examples, they are an important threat for ciphers such as Rijndael, Serpent 
and Camellia. We propose that all block ciphers should apply the following 
criterion (due originally to Shannon ISO : The attacker should not be able to 
write a system of algebraic equations of simple type and of reasonable size, that 
completely characterizes the secret key. It can be achieved if one uses at least a 
few (relatively) big randomly generated S-boxes. 

8 Conclusion 

In this paper we point out an unexpected property of Rijndael and Serpent: they 
can be described as a system of overdefined and sparse quadratic equations over 
GF( 2). It was known from | 23 ] that solving such systems is easier if they are 
overdefined, and the problem might even be subexponential (conjectured) for 
small fields such as GF( 2). It is therefore possible that the security of Rijndael 
and Serpent would not grow exponentially with the number of rounds. 

A direct application of the XL attack from Eurocrypt’OO is extremely inef- 
ficient. Knowing that the equations are not only overdefined, but also sparse 
and structured, we have introduced a new method called XSL. If the XSL at- 
tack works as well predicted, it might (marginally) break Serpent 256 bits. With 
equations over GF(2) we do not get an efficient attack for AES. However a dif- 
ferent version of XSL combined with equations over GF(256) is expected to give 
much better results. In order to prevent such attacks, we propose that at least a 
few S-boxes in a cipher should not be described by a small system of overdefined 
multivariate equations. 
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A Direct MQ Attack on Rijndael 

It is interesting to know how to describe Rijndael as a system of quadratic equa- 
tions with a minimum number of variables and maximum number of equations. 
We are in the second attack scenario with one or a few known plaintexts (see 
Section Pi . 

A.l Minimizing the Number of Variables for Rijndael 

For each round i, we know that there are 4r • Nb quadratic equations between 
the (Zi - 1 j + K,j_i j ) and the (Z* *,). They are of the following form: 

0 = £ a ijk Zi-i jZ ik + Y, avklKi - 1 JZi k + £ PijZi y + y fclKi yj + T . 

Exception is made for the first round, for which the Zq being known, they are 
of the form: 

0 = ya ij [K 0 m , + £>Z, < + 5>[Ro il+l 

Finally, for the last round, the Vjv r k will be expressed as a sum of the known 
ciphertext Z Nr+ i k and [A',v r *], giving the equations of the form: 

0 = T, ajjZ Nr _ 1 i[K Nr j ] + y^a i j[K Nr _ 1 i\[K Nr y] + y^PjZ^-i jd- 

+ y fai^Nr- 1 »] + y ii[K Nr j + <5. 

In all we will get 4 ■ r ■ N r ■ Nb quadratic equations over GF( 2). The number 
of variables Z* j is only 4s • (N r l)iV b . 
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A. 2 Using the Key Schedule 

We have: 

X i+1 j = Zij® [Ki j] for all i = 0 ..N r . (1) 

In order to define what are the [Ki j] we need to choose a basis for the 

K j. Prom the key schedule jlj it is obvious that one may take as “true key 

variables” all the N k variables from the first round, then all the first columns of 
each consecutive key states, and if Nk = 8, also the 5th columns. By inspection 
we see that the number of “true key variables” is: 

= r 32 • (Afc + l(N r -N b + N b - Nk)/N h ]) if N k ± 8 

fc \ 32 • (Nk + \(N r ■ Nf, + Nf, — N k )/4]) if N k = 8 

For example, for 128-bit Rijndael with H k = 128 we have L k = 32- (4+10) = 448. 


Additional Equations. We call “redundant true variables” all the L k — H k 
additional variables that are determined by some initial subset of H k unexpanded 
variables. From the key schedule we see that for each of these L k — H k “redundant 
true variables” we may write r = 23 (or 24) quadratic equations. Each of the 
“redundant true” key state columns is a XOR of one the previous columns, a 
parallel application of 4 S-boxes to another column, and of a constant. Thus 
these equations are of the form: 

A + r ( 2 ) 

The number of these equations is: 

L k -H k 

s 

A. 3 Summary of the Equations and Concrete Applications 

Theorem A. 3.1 (Reduction Rijndael — >■ MQ). The problem of recover- 
ing the secret key of Rijndael given about one pair plaintext /ciphertext can be 
written as an overdefined system of 

to = 4 • r ■ N b ■ N r + r(L k - H k )/s 

sparse quadratic equations with the number of unknowns being: 

n = 4 • s ■ {N r - l)N b + L k . 

Concrete Application to Rijndael: We will use fully quadratic equations 
obtained in Section El We have r = 39 and t = 137, however since this attack 
will only require 1 or 2 known plaintexts, we may assume r = 40 (see Section El • 
• Thus for the 128-bit Rijndael with 128-bit key, we can write the problem of 
recovering the key as a system of 8000 quadratic equations with 1600 variables. 
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• For the 256-bit Rijndael with 256-bit key, we get a system of 22400 quadratic 
equations with 4480 variables. 

In general, no efficient algorithms are known to solve such big systems of 
equations. In fact however, they are sparse and have regular structure, see Section 
15. 21 In Section 16.21 we write quadratic equations in a different way, more suitable 
for our the XSL attacks. 

A. 4 Theoretical Consequences for Rijndael and AES 

The above reduction has already some very important consequences for Rijndael 
and AES. We consider the security of some generalized version of Rijndael in 
which the number of rounds N r increases and all the other parameters are fixed. 

On one hand, in all general attacks previously known against such ciphers, for 
example in linear or differential attacks, the security grows exponentially with 
N r . There are also combinatorial attacks such as square attack, but these will 
simply not work if N r is sufficiently large. On the other hand, we observe that 
the number of variables (and the number of equations) in the reduction is linear 
in the number of rounds Ay. Therefore, if the MQ problem is subexponential, 
which seems possible from the XL paper P3], to break Rijndael would also be 
subexponentiafl i.e. the security would not grow exponentially with the number 
of rounds N r . 

Remark 1: It is important to see that the result would not be the same if 
the reduction were for example quadratic in N r . In this case XL could be subex- 
ponential, for example in but the Rijndael could still be fully exponential, 
for example in (N?) Nr . 

Remark 2: It seems that the same remark will hold for any block cipher 
composed with rounds of fixed type: obviously each of them can always be writ- 
ten as a set of quadratic equations. However, in this case, the size of the system 
(even for one round) will be so huge that there will be no hope for any practical 
attacks. 

B A Toy Example for the “T' Method” 

This is a concrete working example for the final step of the XSL algorithm called 
the “T' method” . It can also be applied to the XL algorithm. 

We have n = 5 variables, and thus T = 16 and T' = 10. We start with a 
random system that has exactly one solution, and with Free > T — T' and with 
2 exceeding equations, i.e. Free = T — T 1 + 2. Here is a system in which T 1 is 
defined with respect to xy. 


It also possible that XL is subexponential only on average, and AES gives very 
special systems. 
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’ X3X2 = X1X3 + X2 
X3X4 = X1X4 + X1X5 + X5 
X3X5 = X1X5 + X4 + 1 
X2X4 = X1X3 + X1X5 + 1 
X 2 X 5 = X1X3 + X1X2 +X3 + X4, 

X4X5 = X\X2 + X1X5 + X2 + 1 
0 = 2:1X3 + X1X4 + Xi + X5 
. 1 = X1X4 + X1X5 + Xi + X5 

Here is the same system in which T' is defined with respect to x 2 : 

' X1X3 = X3X2 + x 2 
X1X4 = X3X2 + X 2 + Xi + x 5 
X1X5 = X2X4 + X3X2 + x 2 + 1 
X3X5 = X2X4 + X3X2 + X 2 + 1 + X4 + 1 
X3X4 = X2X4 + XI + 1 
X4X5 = X1X2 + X2X4 + X3X2 
0 = xix 2 + x 2 x 5 + X3X2 + x 2 + x 3 + x 4 

, 0 = X2X4 

We have rank = 8. Now multiply the two exceeding equations of the first version 
of the system by xi. 

f 0 = X1X3 + X1X4 + xi + X1X5 
10 = X1X4 

We have rank = 10. We get two new linearly independent equations. 

We rewrite these equations, using the second system, only with terms that 
can be multiplied by x 2 . Now we have 4 exceeding equations for the second 
system (two old and two new): 

{ 0 = X1X2 + X2X5 + X3X2 + x 2 + X3 + X4 
0 = X2X4 

0 = X2X4 + X3X2 + X5 + x 2 + 1 
0 = X3X2 + x 2 + Xi + X5 

We multiply these four equations by x 2 . 

! 0 = X1X2 + X2X5 + X2X4 + X2 
0 = x 2 x 4 

0 = X2X4 + X3X2 + X5X2 
0 = X3X2 + X2 + X1X2 + X2X5 

We are not lucky, the second equation is invariant by this transformation. Still 
we get three new linearly independent equations. We have rank = 13. 

We rewrite, using the first system, the three new equations with terms that 
can be multiplied by xi. 

{ 1 = X1X5 + X 2 + X3 + X4 

1 = X1X2 + X1X3 + X1X5 + X 2 + X3 + X4 
0 = X3 + X4 
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Still rank = 13. Then we multiply the three new equations by aq: 

{ 1 = X\X$ + X\X2 + X\Xz + X\XA 
1 = £1X5 + X1X4 

0 = x 3 + x 4 

We have rank = 14. We get one more linearly independent equation. The two 
other are redundant. Now we rewrite the first equation with terms that can be 
multiplied by X 2 - 


0 = X1X2 + X2X4 + X3X2 + Xi + X2 + X5 
We have still rank = 14. Then we multiply the new equation by X 2 - 
0 = X2X4 + X3X2 + X2X5 + X2 

We get another new linearly independent equation. We have rank = 15. The 
rank is the maximum that can be achieved, there are 15 non-zero monomials 
here, and rank = 16 can only be achieved for a system that is contradictory. 
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Abstract. In this paper we analyse the security of a new key exchange 
protocol proposed in [3], which is based on mutually learning neural 
networks. This is a new potential source for public key cryptographic 
schemes which are not based on number theoretic functions, and have 
small time and memory complexities. In the first part of the paper we 
analyse the scheme, explain why the two parties converge to a common 
key, and why an attacker using a similar neural network is unlikely to 
converge to the same key. However, in the second part of the paper we 
show that this key exchange protocol can be broken in three different 
ways, and thus it is completely insecure. 


1 Introduction 

Neural networks have attracted a lot of attention in the last 60 years as a plausi- 
ble computational model of how the human brain operates. The model was first 
formalized in 1943 by Warren McCulloch and Walter Pitts, and in 1949 Donald 
Hebb published his highly influential book Organization of Behavior in which 
he studied a variety of neural learning mechanisms. Today the area continues 
to be extremely active, and attracts interdisciplinary researchers from a wide 
variety of backgrounds (Biology, Medicine, Psychology, Physics, Mathematics, 
Computer Science, etc). 

Not surprisingly, researchers have also tried to use neural networks in Cryp- 
tography. In January 2002, the Physicists Kanter, Kinzel and Kanter [3] proposed 
a new key exchange protocol between two parties A and B. It uses the new notion 
of chaotic synchronization, which makes it possible for two weakly interacting 
chaotic systems to converge even though each one of them (viewed individually) 
continues to move in a chaotic way. Many papers and several conferences were 
devoted in the last few years to this subject, and an excellent starting point for 
this literature can be found in [5] . 

In this paper we analyse the Kanter, Kinzel and Kanter (KKK) proposal, 
which can be viewed as a gradual type of Difhe Heilman key exchange. In both 
schemes the two parties start from random uncorrelated t-bit states. The DH 
scheme uses a single round in which each party reveals t bits of information about 
its state. Based on the received information, each party modifies its state once, 
and the new states become identical. The KKK scheme uses multiple (typically 
> t) rounds in which each party reveals a single bit of information about its 
current state, and then modifies its state according to the information revealed 

Y. Zheng (Ed.): ASIACRYPT 2002, LNCS 2501, pp. 288-298, 2002. 
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by the other party. If we denote the sequence of states of the two parties by Ai 
and Bi, then distance{A l+ \ . B , + \ ) < distance(Ai,Bi) and eventually Ai = Bi 
for all i > io- However, the parties do not converge by moving towards a com- 
mon fixedpoint which is halfway between them, and both distance(Ai +\ , A t ) and 
distance(Bi + i,Bi) remain large even for i > io- From the point of view of the 
cryptanalyst the states of the parties become rapidly moving targets, and his 
main problem is how to combine bits of information about two converging se- 
quences of unknown states. Such multiround synchronization is a new and unex- 
plored idea, which makes it possible to use new types of cryptographic functions 
which are not based on number theory. A KKK-like scheme can thus provide 
a new basis for security, and can give rise to potentially faster key exchange 
schemes. 

The concrete proposal in [3] uses two neural networks in which each network 
tries to learn from the other network’s outputs on common random inputs. In the 
standard learning problem a neural network tries to learn a fixed function, and 
thus it converges towards it as a fixedpoint. In the mutual learning problem each 
network serves both as a trainer and as a trainee, and there is no fixed target 
to converge to. Instead, they chase each other in a chaotic trajectory which is 
driven primarily by the common sequence of random inputs. We first consider 
the nontrivial issue of why the scheme works at all, i.e., why the two chaotic 
behaviours become synchronized. We then explain the empirical observation in 
[3] that an attacker who uses an identical neural network with the same learning 
procedure is extremely unlikely to synchronize his network with the other parties’ 
network even though he eavesdrops to all their communication. However, in the 
last part of the paper we show that the KKK scheme can be broken by at least 
three different attacks (using genetic algorithms, geometric considerations, and 
probabilistic analysis). The bottom line of our analysis is that even though this 
concrete cryptographic scheme is insecure, the notion of chaotic synchronization 
is an exciting new concept and a potential source of new insights into how parties 
can agree on common secret values as a result of public discussion. 

2 The KKK Key Exchange Scheme 

Each party in the proposed KKK construction uses a two level neural network: 
The first level contains K independent perceptrons, while the second level com- 
putes the parity of their K hidden outputs. Each one of the K perceptrons has 
N weights Wk, n (where 1 < k < K and 1 < n < N). These weights are in- 
tegers in the range {—L,...,L} that can change over time. Given the N bit 
input (xk, l, • • • , Xk,N) (where Xk, n € {—1, +1}), the perceptron outputs the sign 
(which is also in {— 1,+1}) of Wk • x"k = Yln=i w k,n.Xk,n- The output Ofc of the 
perceptron has a simple geometric interpretation: the hyperplane which is per- 
pendicular to the weight vector w divides the space into two halves, and the 
output of the perceptron for input x indicates whether x and w are on the same 
side of this hyperplane or not (i.e., whether the angle between w and x is less 
than or greater than 90 degrees) . The output of the neural network is defined as 
the parity O = flfeLi °fe °f the outputs of the K perceptrons. 
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In the KKK scheme the two parties A and B start from random uncorrelated 
weight matrices {wk, n }- At each round a new random matrix of inputs {xk, n } is 
publicly chosen (e.g., by using a pseudo random bit generator), and each party 
announces the output of its own neural network on this common input. If the two 
output bits are the same, the parties do nothing and proceed to the next round; 
otherwise each party trains its own neural network according to the output of the 
other party. The training uses the classical Hebbian learning rule to update the 
perceptron weights. However, each party knows only the parity (rather than the 
individual values) of the outputs of the other party’s perceptrons, and thus the 
learning rule has to be modified: In the KKK proposal (which is also discussed 
and justified in [1] and [4]) each party only modifies those perceptrons in his 
own network whose hidden outputs differ from the announced output. With this 
correction, KKK observed that for some choices of K, N and L, the weight 
matrices of the two parties become anti parallel (i.e., w A n = —w B n for all k and 
n) after a reasonably small number of rounds, and from then on they always 
generate negated outputs and always update their weights into new anti parallel 
states. The two parties could become aware of the achieved synchronization by 
noticing that their announced outputs were always negated for 20-30 consecutive 
steps. Once their networks become synchronized, the two parties could stop and 
compute a common cryptographic key by hashing their current weight matrix 
(or its negation). 

3 The Synchronization Process 

In this section we explain the synchronization process by using some elementary 
properties from the theory of random walks in bounded domains. In particular, 
we analyse the effect of various choices of parameters on the rate of convergence. 

The standard Hebbian learning rule forces the mutually learning neural net- 
works into anti parallel states. This is unintuitive, complicates our notation, and 
makes it difficult to prove convergence by using distance arguments. We thus 
modify the original scheme in [3] , and update the two weight matrices whenever 
the networks agree (rather than disagree) on some input. We modify several 
other minor elements, and get a dual scheme in which one of the parties goes 
through the same sequence of states and the other party goes through a negated 
sequence of intermediate steps, compared to the original KKK proposal. In this 
dual scheme the two parties eventually becomes identical (rather than anti paral- 
lel). For K = 3, the modified learning procedure is defined in the following way: 
Given random public vectors xj, a ?), £3 £ {—1,1}^, each party calculates its 
perceptrons’ hidden outputs o\ = sgn('ujjxi), 02 = sgn(w2X2), 03 = sgn( '<1)3X3), 
where sgn(x) is 1 if x > 0 and -1 otherwise. It then announces its final output 
O = O 1 O 2 O 3 . If O a ^ O b the parties end the current round without changing 
any weights. Otherwise, each party updates only perceptrons for which Ok = O 
(since the common O is the product of three hidden values, each party updates 
the weights of either one or three perceptrons). The updated weights of percep- 
tron k are defined by the transformation <— bound_ £,.£,(«}). — o^x*,), where 
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ho\m(\_ L L changes any coordinate which exceeds the allowed weight bounds 
back to the bound (i.e., — L — 1 is changed to —L and L + 1 is changed to L). 

This learning procedure is quite delicate, and changing the identity of the 
updated perceptrons or the way they are updated either destroys the synchro- 
nization process or makes it trivially insecure. The goal of this section is to 
explain why the two parties converge, and why a third neural network cannot 
converge to the same weight matrix by following the same learning procedure. 

We first consider a highly simplified neural network which consists of a single 
perceptron with a single weight. The convergence of such networks is completely 
explained by the existence of the absorbing boundaries — L and L for the range 
of allowed weight values. Let a, : and 6, be the current weights of the two per- 
ceptrons. At each round a new random input Xj £ {—1,1} is chosen, and the 
parties decide to either ignore it, or to simultaneously move their two weights 
in the same direction determined by x- L . However, if any weight tries to step be- 
yond the allowed boundaries, it remains stuck at the boundary while the other 
weight moves towards it (unless it is also stuck at the same boundary). Each 
weight starts from a random value, and performs a one dimensional random 
walk which is driven by the common sequence of random inputs. When neither 
one of the weights is stuck at the boundary, their distance remains unchanged 
(|aj + i — 6j + i| = | di — 6*1), whereas if one of them is stuck and the other one 
moves, their distance is reduced by one. Since each random walk is likely to hit 
the boundary infinitely often, their distance will eventually reduce to zero, and 
from then on the two random walks will always coincide. 

The case of a single perceptron with multiple weights is a simple generaliza- 
tion of this case. The two weight vectors move in the same direction determined 
by Xi in a bounded multidimensional box, and along each coordinate the distance 
is either preserved or reduced by one. When all these distances are reduced to 
zero, the two random walks become identical forever. 

Unfortunately, single perceptron neural networks can be trivially attacked 
by any neural network which starts from a random initial state and mimics the 
operation of the two parties. In fact, except during a short initial period, the 
state of all these perceptrons is uniquely determined by the (publicly known) 
sequence of inputs x), and is independent of their initial state. Consequently, 
the synchronization process of single perceptron neural networks is trivial, and 
cannot be used to derive a cryptographically secure common key. 

The case of neural networks with multiple perceptrons is more complicated, 
since the two parties may update different subsets of their perceptrons in each 
round. We thus have to consider a noisy version of the previous convergence 
argument, in which occasionally the parties perform uncoordinated moves which 
add £i to one of Ws perceptrons but adds zero to the corresponding perceptron 
of B , which can either increase or decrease the distance between them. Initially 
there is some weak correlation between of and of due to the asymmetry in o 
caused by cases in which WkXk = 0. If the parties make a coordinated move (i.e. 
of = of) then wf and «/f become closer to each other and thus wfxk and 
wfxk will have an increased tendency to have the same sign (and thus make a 
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coordinated move) in the next round with a new random input. In particular, 
if w A = w B for all k then all their future moves will be coordinated, and thus 
their weight matrices will remain identical forever. The convergence argument 
becomes a delicate balance between the reduced distance caused by coordinated 
moves, the increased distance which may be caused by uncoordinated moves, 
and the probability of making an uncoordinated move as a function of the cur- 
rent correlation between the weights: If we completely rerandomize the weights 
whenever the two perceptrons make an uncoordinated move the parties will never 
converge, but if we do not penalize such failures then any third party will also 
converge to the same state in the same amount of time. 

The claimed basis for the security of the scheme in [3] is the proven fact 
that given fewer than some number a(L)N of outputs of a parity machine with 
fixed weights for random inputs it is information theoretically impossible to 
calculate these weights, and the case of changing weights seems to be even harder. 
However, the problem of computing the initial weights and the problem of finding 
the final weights are completely different, and the attacker is only interested 
in the latter problem. To illustrate this point, consider the simple example of 
a one dimensional random walk with boundaries. Although it is information 
theoretically impossible to recover the initial position ao from an arbitrarily 
longer sequence of state signs, it is easy to predict with overwhelming probability 
all the states from some point onwards. 

The other evidence of security given in [3] was the fact that an attacker 
using the same neural network and a variety of learning rules failed to converge 
to the same states in the same number of steps as the two parties (in some 
cases the attacker never converged, and in other cases its convergence was so 
slow that when the two parties stopped revealing their output bits its state was 
still completely different). This is a necessary condition for the security of the 
scheme, but far from being sufficient. However, the cause of this failure is not 
obvious, and its analysis is very instructive. 

Consider an attacker C who starts from the same parity machine with ran- 
domly chosen weights. At each step she computes her hidden outputs o B , . . . , o c K 
with respect to the publicly available input. If the parties announce different pub- 
lic outputs O a / O b , C knows that A and B do not update their weights, and 
thus she also skips the current round without updating her weights. If O a = 0 B 
then C tries to mimic the behavior of A and B by guessing which perceptrons 
should be updated, and she uses her hidden outputs to do so using the same rule 
as the two parties. In [3] it was empirically observed that this strategy does not 
allow C to converge even if she starts from a state which is strongly correlated to 
that of B. In order to understand why C fails while A and B succeed, we have to 
compare the probability that B and C make the same update as A. Consider for 
example a neural network with K = 2, i.e. each party has two perceptrons. Let’s 
define Pk = Pr[o^ = o B ] for random inputs Xk, and for the sake of simplicity 
assume that it is the same for both perceptrons ( pi = P 2 = p), and for both 
pairs {A, B) and (A, C ) (note that the outputs of different units are independent 
since they are functions of independent random inputs). There are four possible 
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scenarios: (of = off,o f = of), (of ± off, of = of), (of = off, of ^ of) and 
(of 7^ off , of 7^ of), with probabilities p 2 , p( 1 — p), (1 — p)p and (1 — p) 2 re- 
spectively. Note that in the second and the third scenarios O a 7^ O b , and thus 
they will never happen in a round in which A and B decide to update their 
weights. However, such scenarios are possible for (A,C), since their outputs can 
be different when C is forced to move, and from her perspective it is a bad idea 
either to keep the weights unchanged or to update the wrong collection of per- 
ceptrons. In other words, the crucial difference between the two parties and the 
attacker is that the parties can choose the most beneficial points in time at which 
to update their weights, whereas the passive eavesdropper cannot influence this 
choice. Consequently, the probability that (A,B) make a coordinated move is 
p 2 + (i - p )2 > while the probability that (A, C) make a coordinated move is p. Since 
0 < p < 1, it is easy to see that p2+ f 1 _ p ^2 > P- Figure 1 shows the probability 
of making a coordinated move as a function of p for various numbers of per- 
ceptrons K. It is clear from this figure that the choice of K = 2 is optimal for 
(A,B). We already demonstrated a difference of behaviour between the (A,B) 
and (A,C) cases, but in order to show why such a difference allows the pair 
(A, B) to converge with very high probability but the pair (A, C) to converge 
only with negligible probability, we have to consider the speed of convergence. 

First we have to define the notion of closeness between perceptrons:p(w, w')= 
Prj, [sgn(w;x) = sgnfuTc)] for a random input x (by definition, 0 < p < 1). To 
calculate the expected change of p after one round in which the parties update 
their weights, we use the following formula: 

E[Ao] = Pr[T]ZW + Pr[±]A^, 

where we use T to denote coordinated moves (in which the hidden outputs are the 
same) and _L to denote uncoordinated moves. For the sake of simplicity consider 
again the case of K = 2 and p('u7) , wf) = p('W 2 ,'ujl 2 ). Using a large number of 
numerical experiments we found the forms of p' T and p' ± . The results are shown 
in figure 2, which describes the closeness before and after a coordinated and 
an uncoordinated move in the various experiments. In order to combine these 
results we approximated Apr and Ap±_ by two third degree polynomials which 
are described in figure 3. Using this approximation, figure 4 shows the expected 
increase of p as a function of the current value of p for the whole system. 

Using figure 4 we can easily explain why the pair (A, B) quickly converges: 
Ap(w A ,w B ) > 0, so each step is expected to increase p until eventually p = 1. 
However, for (A, C) the drift is positive only before approximately 0.8, but if C 
gets any closer then her drift is negative and thus her strategy is counterproduc- 
tive. This explains the experimental result described in [3] — even if p(w B ,uf) 
is relatively high it tends to decrease, and thus such an adversary has a negligible 
probability to converge to the common states of A and B. 
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Fig. 1. The probability of making a coordinated move for one perceptron when K = 2 
(“x”), K = 3 (“+”), or K = 4 (“*”) 


4 Crypt analytic Attacks 

The security of the scheme was analysed in [3] in terms of its robustness against 
a particular attacker who simulates the actions of the two parties. The security 
of the scheme against such an attack was experimentally verified in [3], and 
mathematically explained in the previous section. In this section we consider 
other types of attacks, and show that the KKK scheme can be broken by three 
completely different cryptanalytic techniques. Since the proposed cryptographic 
scheme is very different from standard schemes, the attacks are also somewhat 
unusual. 


4.1 The Genetic Attack 

Since the cryptosystem is based on the biological notion of neural networks, we 
decided to apply a biologically motivated attack based on genetic algorithms. The 
general idea behind any genetic algorithm is to simulate a population of virtual 
organisms and to impose evolutionary rules which prefer organisms with certain 
desirable properties. The literature contains very few successful cryptanalytic 
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Fig. 2. Experimental form of p'± (the lower distribution) and p' T (the upper distribu- 
tion) for L = 3 and N = 101. 


applications of such techniques, but a recent exception is the simulated annealing 
attack on the PPP scheme described in [2] . 

In our attack, we simulate a large population of neural networks with the 
same structure as the two parties, and train them with the same inputs. At 
each stage about half the simulated networks announce an output of + 1 , and 
half announce an output of —1. Networks whose outputs mimic those of the two 
parties breed and multiply, while unsuccessful networks die. 

We start the attack with one network with randomly chosen weights. At each 
step a population of networks evolves according to three possible scenarios: 

— A and 13 have different outputs O a ^ O b , and thus do not change their 
weights. Then all the attacker’s networks remain unchanged as well. 

- A and B have the same outputs O a = O b , and the total number of attacking 
networks is smaller than some limit M. In this case there are 4 possible 
combinations of the hidden outputs agreeing with the final output. So, the 
attacker replaces each network C from the population by 4 variants of itself, 
Cl, ... ,£ 4 . which are the results of updating C with the standard learning 
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Fig. 3. Approximation of Ap± (the lower 
distribution) and Apr (the upper distri- 
bution). 

The polynomials are f c {p)= — 0.6364p 3 
+1.5516p 2 -1.3409p+0.4231 and /„(p) = 
— 1.8666p 3 + 3.6385p 2 — 2. 5984p + 0.6304. 


Fig. 4. The speed of convergence for 
( A,B ) (the upper line) and ( A,C ) (the 
lower one) for L=3, A r =l()l and K= 2. 


rule but pretending that the hidden outputs were equal to each one of these 
combinations. 

- A and B have the same outputs O a = 0 B but the total number of simulated 
networks is larger than M. In this case the attacker computes the outputs of 
all the networks, deletes the unsuccessful networks whose output is different 
from O a , and updates the weights in the successful networks by using the 
standard learning rule with the actual hidden outputs of the perceptrons. 

Shortly after A and B synchronize for the first time, they know this fact, 
and the attacker uses the same test to check whether any one of his networks 
has the same weights as A. For the recommended choice of parameters ( K = 3, 
N = 101, L = 3), we tried the attack with a threshold of M = 2500 networks, 
and in more than 50% of our tests at least one of the attacking networks C became 
synchronized with A even before A and B themselves became fully synchronized. 

We successfully applied this attack to several variants of the KKK scheme 
using different parameters as well as different rules for updating the weights and 
computing the output. The attack is particularly effective for variants in which 
the genetic attack has a small local branching rate (e.g., when K = 2). 


4.2 The Geometric Attack 

We have already described the geometric interpretation of the action of a per- 
ceptron. Now we are going to exploit this characterization in order to gain useful 
information about the unknown weights of neural networks which are defined as 
the parity of several perceptrons. 


Analysis of Neural Cryptography 297 


Each input can be viewed as K random hyperplanes X \ , . . . , X K correspond- 
ing to K perceptrons. Each X, is a hyperplane 

N 

fi(z 1 , ...,z N ) = '^2 x ij-z j = 0 
0 = 1 

in the X-dimensional discrete space U = {— L, . . . , L} N . The weights of a net- 
work could be also viewed as K points W \ , . . . . Wk in U, Wj = (wn , . . . , wuc), 
while the i-th hidden output is just the side of the half-space (with respect to 
Xi) which contains W., . 

Consider an attacking network C that is close enough to the unknown network 
A but has a different output for a given input. In fact they have either 1 or 3 
different hidden outputs. The second case is less likely to occur so we assume 
that only one hidden output of the network C is different from the corresponding 
hidden output of A. Consequently, only one pair {W A , Wf) is separated by the 
known input hyperplane Xj. Of course, we are interested in detecting its index 

If the points Wf and W A are separated by X, then the distance between 
them is greater than the distance from Wf to the hyperplane Xj. Wf and W A 
are close to each other, so the distance from Wf to Xj has to be small. On the 
other hand, if Wf and W A are in the same half-space with respect to Xj then 
they are more likely to be far away from the random input Xj (even though we 
know that they are close to each other). We thus guess that the index of the 
incorrect hidden output is the i for which Wf is closest to the corresponding 
hyperplane Xj, where we compute the distance by p(Wf, Xj) = | /,; ( Wf ) | . 

Formally, the attacker constructs a single neural network C with the same 
structure as A and B, and randomly initializes its weights. At each step she 
trains C with the same input as the two parties, and updates its weights with 
the following rules: 

- If A and B have different outputs O a / O b , then the attacker doesn’t update 
C. 

- If A and B have the same outputs O a = O b and O c = O a , then the attacker 

updates C by the usual learning rule. 

- If A and B have the same outputs O a = O b and O c / O a , then the attacker 

N 

finds *o e {1, . . . , K} that minimizes | w ij ' x ij\- The attacker negates of 
i=o 

and updates C assuming the new hidden bits and output O a . 

Different attackers starting from randomly chosen states behave indepen- 
dently and thus multiple attackers have a higher probability to be successful. 
We tried this attack with 100 random initial states and at least one of them 
synchronized with A faster than B with probability > 90%. 

4.3 The Probabilistic Attack 

As was described in the previous section, it is much easier to predict the position 
of a point in a bounded multidimensional box after several moves in its random 
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walk than to guess its original position. A simple way to do it is to consider 
each coordinate separately, and to associate with each possible value I in the 
interval {— L, ...,L} the probability p t (i ) = Pr[ay = /]. Initially Vi, po(i) = 
2 L+\ an d after each move p t +\(i) = JU Pt(j), where j are such that if x t = 
j then x t +i = i. Applying this technique to the original scheme we face the 
problem that the moves are not known — the attacker does not know which 
perceptrons are updated in each round. Fortunately, if we know the distribution 
of the probabilities Pk, n ,i = Pr [wk, n = *] then using dynamic programming 
we can calculate the distribution 1 of WkA for a given vector x% and thus the 
probabilities Ufc(s) = Pr[o*, = s]. Using these probabilities we can calculate the 
conditional probabilities Uk = Pr[ofc = 1|0]: 

£(«!,-, ai =Q& ak =l IL «<(“<) 

* E ( ai ’ 

because O is publicly known. We can now update the distribution of the weights: 
pt k%]i = £j^,„,i Pr K„ = j =► w™; = i], where PrK „ = j ^ = i] 

is calculated using Uk- Experiments show that in most cases, when A and B 
converge to a common Wk, n , the probabilities Pr [wk, n = Wk.n] ~ 1 and thus the 
adversary can easily find Wk, n when A and B decide to stop the protocol. 
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Abstract. At ACM CCS ’01, Catalano et al. proposed a mix of the 
RSA cryptosystem with the Paillier cryptosystem from Eurocrypt ’99. 

The resulting scheme, which we call RSAP, is a probabilistic cryptosys- 
tem which is both semantically secure under an appropriate decisional 
assumption and as efficient as RSA, but without the homomorphic prop- 
erty of the Paillier scheme. Interestingly, Sakurai and Takagi presented 
at PKC ’02 a proof that the one-wayness of RSAP was equivalent to 
the RSA assumption. However, we notice in this paper that the above 
proof is not completely correct (it works only in the case when a perfect 
oracle - i.e. an oracle that always provides correct answers - is given). 

We fix the proof by presenting a new proof based on low-dimensional 
lattices. The new proof, inspired by the work of Sakurai and Takagi, 
is somewhat related to Hensel lifting and the IV-adic decomposition of 
integer exponentiation. Roughly speaking, we consider the problem of 
computing /( x) mod M l given /( x) mod M and an exponent t > 1. By 
studying the case f(x | — x e and M is an RSA-modulus, we deduce 
that the one-wayness of RSAP is indeed equivalent to the RSA assump- 
tion, and we are led to conjecture that the one-wayness of the original 
Paillier scheme may not be equivalent to the RSA assumption with ex- 
ponent N. By analogy, we also study the discrete logarithm case, namely 
when f(x) = g x and M is a prime, and we show that the corresponding 
problem is curiously equivalent to the discrete logarithm problem in the 
subgroup spanned by g. 

Keywords: Public-key, RSA, Paillier, Discrete logarithm, Hensel, One- 
wayness, Lattice. 

1 Introduction 

Many basic computational problems in number theory can be efficiently solved 
by first looking at the problem modulo a (small) prime number p and then per- 
forming a so-called Hensel lifting, which iteratively transforms solutions modulo 
p into solutions modulo arbitrary powers of p. This is for instance the case with 
factorization of univariate integer polynomials, and with integer root finding of 
univariate integer polynomials (see [1,5]). The lifting process has been dubbed 
Hensel lifting because of the pioneering work of the German mathematician 
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Hensel on p-adic numbers at the end of the 19th century. The p-adic numbers 
are beyond the scope of this paper, and we refer the interested reader to [8] for 
more information: Let us just briefly mention that, mathematically speaking, 
the p-adic: numbers are an extension (depending on p) of the field Q of rational 
numbers, which is built as a completion of Q with respect to a specific metric 
(different from the usual absolute valuation \x—y\) related to the decomposition 
in base p of every positive integer. The link between Hensel lifting and p-adic 
numbers is natural: Hensel lifting produces solutions modulo increasing powers 
of p which can be viewed as better and better approximations of some “true” so- 
lution, where the quality of the approximation is measured thanks to the specific 
metric of the p-adic numbers. 

In this paper we consider Hensel lifting from a cryptographic perspective. We 
study the hardness of the general problem of computing f(x) mod M fi (where l 
is an integer > 2) given f(x) mod M, where the function / is implemented as 
either the RSA function or the Discrete Logarithm function. More precisely, we 
investigate the following problems: 

1. Given an RSA modulus N and the value x e mod N where 0 < x < N, how 
hard is it to compute x e mod N e (for l > 1)? 

2. Given a prime p, an integer g and the value g x mod p where x is defined 
modulo the order of g, how hard is it to compute g x mod p e (again for 
£ > 1)? 

Motivation and Previous Work. At Eurocrypt ’99 Paillier [11] proposed 
a new cryptosystem based on a novel computational problem: the composite 
residuosity class problem. The details of the scheme are given below, for now 
let us highlight the main contributions of Paillier’s construction. Given an RSA 
modulus N, the multiplicative group can be partitioned into N equivalence 
classes according to the following equivalence relation: a, b £ are equivalent 
if and only if the product afc -1 is an N-th residue modulo N 2 , where by N- 
residue we intend an element x £ h* N2 such that there exists y £ 1,* N2 satisfying 
the equation x = y N mod N 2 . 

The composite residuosity class problem is then the problem to determine, 
on input a random value w £ 7,* N2 to which class such an element belongs. 
The one-wayness of Paillier’s scheme is provably equivalent to the class problem 
which turns out to be related but not known to be equivalent to the problem of 
inverting RSA, when the public encryption exponent is set to N. The semantic 
security of Paillier’s scheme is provably equivalent to a decisional variant of the 
class problem. Paillier’s paper has sparkled a huge amount of research due to 
its beautiful and original mathematical structure. Moreover the scheme is very 
attractive for many practical applications because of its homomorphic property: 
given the ciphertexts c\ =ENC(mi) and C 2 =ENC(rri 2 ), an encryption of mi + 
m 2 can easily be obtained by simply multiplying ci and Oi. 

The main drawback of Paillier’s scheme is its cost: encryption and decryption 
cost respectively two and one modular exponentiations, but all the operations 
are performed modulo N 2 . Moreover the exponents used have all order fl(N). 
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To improve the efficiency of the scheme, Catalano et al. [4] proposed a mix of 
Paillier’s scheme with the RSA scheme, whose running time is comparable to 
that of plain RSA, and which is still semantically secure under an appropriate 
decisional assumption. The new scheme follows from an alternative decryption 
process for a particular instance of Paillier’s scheme, which allows to drastically 
reduce the size of the encryption exponent. Interestingly enough, even though 
the modification proposed in [4] only slightly changes the encryption scheme, it 
deeply influences its mathematical structure. In the following we will refer to 
the Catalano et al. cryptosystem as the RSA- Paillier Cryptosystem (RSAP for 
brevity). 

Later, Sakurai and Takagi [12] further studied the properties of the RSA- 
Paillier scheme and presented a proof that its one-wayness is equivalent to the 
problem of inverting RSA. Unfortunately, even though the proposed ideas are 
very appealing, they turn out not to be completely sound from a technical 
point of view. Specifically they prove that the one-wayness of RSA-Paillier cryp- 
tosystem is equivalent to the problem of computing, given a value of the form 
r e mod N, the “lifted” value r e mod N 2 . Then the proof proceeds by a stan- 
dard reductio ad absurdum argument: they prove that if one has an oracle to 
efficiently solve the above lifting problem this oracle could be used to construct 
an efficient algorithm that computes the least significant bit of RSA (which, in 
turn, is known to be a hard core predicate [2] for the RSA function [7]). How- 
ever, as we will show in section 3, the argument is flawed, in the sense that the 
proposed technique works only for the particular case in which the oracle gives 
a correct answer with probability 1 (and we will note that another result of [12] 
related to another variant of RSA suffers from the same flaw) . Thus the problem 
of proving the equivalence between the one-wayness of RSA and the one-wayness 
of RSA-Paillier remains open for the general case in which the provided oracle 
answers correctly only for a non-negligible fraction of the inputs. 

A variant of the Hensel lifting problem was discussed by Takagi [13], who 
proposed some efficient variants of RSA using A-adic expansion. 

Our Results. Our contributions can be summarized as follows. First of all we 
prove that the one-wayness of the RSA-Paillier function is actually equivalent to 
that of the RSA function. We then turn our attention to the original Paillier’s 
trapdoor function and we prove the following, somehow surprising, results: 

1. Given a random RSA modulus A, computing r N mod A 2 from a value 
r N mod A where 0 < r < A is as hard as solving the composite residu- 
osity class problem. 

2. Given a random RSA modulus A, computing r N mod A 3 from a value 
r N mod A where 0 < r < A is as hard as inverting RSA when the pub- 
lic exponent is set to A. 

In some sense, the above results seem to provide an intuitive separation be- 
tween the Class assumption, introduced by Paillier, and the RSA assumption. 
This leads us to conjecture that the one-wayness of the Paillier scheme is not 
equivalent to the RSA assumption with exponent A. 
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Our techniques can be generalized to the discrete logarithm function (modulo 
a prime p ) as well, and we prove that, under certain conditions, the problem of 
computing g x mod p e when g,p,h = g x mod p are given is equivalent to the 
problem of computing x. More precisely, the order ui of g modulo p is assumed 
to be prime and publickly known, and the integer £ is defined as the unique 
positive integer such that g u ^ 1 (mod p e ) and g u = 1 (mod p e ~ 1 ) . 

Road Map. The paper is organized as follows. In Section 2 we provide definitions 
and notations that are useful for the rest of the paper. Then we quickly describe 
Paillier’s cryptosystem and its variant from [4]. Section 3 presents our results for 
the RSA case. The discrete logarithm case is discussed in Section 4. We conclude 
the paper with some remarks and directions for future research in Section 5. 


2 Preliminaries 

Notation (Basically quoted from [4]). In the following we denote by N the set 
of natural numbers, by M + the set of positive real numbers, by Zjv the ring of 
integers mod N, which we identify to the set {0, 1 . . . , N — 1}, and by 1A N its 
subset of invertible elements. In particular, we view elements of Z^y as integers 
of {0, . . . , N— 1}: for instance, if r G Z jV , r e mod N 2 denotes the integer r raised 
to the power e (as an integer and not as an integer mod N), eventually taken 
modulo N 2 . We say that a function negl : N — > R+ is negligible iff for every 
polynomial P(n) there exists a no € N s.t. for all n > no, negl(n) < 1/P(n). 
We denote by V1ZIM£S(k) the set of primes of length k. For a, b G N we write 
a oc b if a is a non zero multiple of b. 

If A is a set, then a <— A indicates the process of selecting a at random and 
uniformly over A (which in particular assumes that A can be sampled efficiently). 

If N is an RSA modulus (i.e. N = pq with p,q primes), then we denote by 
RSA[N, e] the RSA function with exponent e. In the following we will assume 
that RSA[N, e] is a one-way function, i.e. that given N of unknown factorization, 
a public exponent e and RSA[N, e]{x) = x e mod N, for random x it is infeasi- 
ble to efficiently compute x. We will refer to this conjecture as the RSA[N,e\ 
assumption. 

Paillier’s Scheme. Let N = pq be an RSA modulus and consider the multi- 
plicative group Z* N2 . Let g be an element whose order is a multiple of N in Z* N2 . 
Paillier [11] defines the following function 

T g : Z * N X Z ft — > Zjy-2 
P g (r, m) = r N g m mod N 2 
and proves the following statements: 

— The function T g is a trapdoor permutation. The trapdoor information is the 
factorization of N. 

— Inverting T g is equivalent to inverting RSA[N,N). 
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By the first property above, once g is fixed, for a given w £ Z^ 2 , there exists 
a unique pair (to, r) such that w = r N g m mod N 2 . We say that to is the class 
of w relative to g, and we indicate this value with Class g (w). We define the 
Computational Composite Residuosity Class Problem as the problem of comput- 
ing to when N, g and w are provided. We will assume this to be an intractable 
problem. More formally, we use the following definition from [3]: 

Definition 1 . We say that computing the function Class g (-) is hard if, for every 
probabilistic polynomial time algorithm A, there exists a negligible function 
negl() such that 


Pr 


p, q «- VniM£S{n/2): N = pq- 
g <- Z* N2 s.t. ord(g) a N; 
c <— Z N ; z <- Z* N \ w = g c z N mod N 2 ; 
_A(N,g,w) = c 


negl(n) 


In his paper Paillier proves that the function Class is random self reducible [2] 
over g £ Z* N2 , he. that its complexity is independent of the specific base g used. 

The RSA- Paillier Scheme. Let N = pq be an RSA modulus and consider the 
multiplicative group Z* N2 ■ For a random e £ Z.y such that gcd(e, X(N 2 )) = 1, 
Catalano et al. [4] defined the following function 


£ e (r, to) = r e (l + to A) mod N 2 

and they proved it is a trapdoor permutation equivalent to RSA[N,e\. 

To encrypt a message to, one simply chooses a random r £ Z* N and sets c = 
(l + mA)r e mod N 2 . From the ciphertext c, anyone knowing the factorization of 
N can retrieve the message, by first computing r = yfc mod N and then getting 
to as — ) mod n )-i Qver jj ie i n t e g ers _ 

Notice that, in order for the above decryption procedure to work it is not 
necessary to assume gcd(e, A(A 2 )) = 1. As a matter of fact, one can consider 
exponents e such that gcd(e, A(A)) = 1. 

In this sense by letting e = N we go back to an instance of Paillier’s scheme 
where g is set to (1 + N). For the purposes of this paper, however, we will 
assume gcd(e,A(A 2 )) = 1. The reason for this choice will become clearer in the 
next section. 


3 The RSA Case 

We start this section by introducing a new computational problem, which is 
actually very similar to a problem presented in [12]. 

Informally, the problem we have in mind can be stated as follows. Assume an 
RSA modulus N is provided, given c = r e mod N (where r ■*— {0, . . . , N — 1}), 
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we want to compute the “lifted” value r e mod N e for £ > 1. More formally we 
define the following function over {0, . . . , N — 1}: 

Hensel - RSA [iV, e, £](r e mod A) = r e mod N l 


Note that this function is well-defined over {0, ... , A — 1} because the RSA- 
function is a permutation over Z N . 

It is immediate to see that if the factorization of the modulus is known then 
one can efficiently compute Hensel-RSA. On the other hand, if the factorization 
of A is not available, we conjecture it is infeasible to compute such a function 
in probabilistic polynomial time. 

Definition 2. We say that computing the function Hensel-RSA[A, e, £](r e mod 
A) is hard if, for every probabilistic polynomial time algorithm A, there exists 
a negligible function negl() such that 


Pr 


'p, q <- VRZM£S{n/2)- N = pq- 
r {(), . . . , A — 1}: w = r e mod A; 
A(N,e,w,£) = r e mod N e 


= negl(n) 


In the next lemma (originally presented, in a slightly different form, in [12]) 
we make explicit the relation existing between the problem of computing the 
function Hensel-RSA and the one-wayness of the RSA-Paillier scheme. 

The proof is straighforward and is left to the reader. 

Lemma 1 . Given an RSA modulus A and a public exponent e, the RSA-Paillier 
function is one-way if and only if Hensel-RSA [N,e, 2] is hard. 

Now, on top of Lemma 1, we prove that the one-wayness of RSA-Paillier is 
equivalent to the one-wayness of RSA, by showing that the problem of comput- 
ing Hensel-RSA, with parameters A, e and 2, on input r e mod A and the one 
of computing r from r e mod A are computationally equivalent. Observe that 
assuming that Hensel-RSA [A, e, 2] is hard implicitly implies that the RSA[A, e] 
assumption must hold. Consequently, we will focus on proving that the inverse di- 
rection also holds, i.e. that under the RSA[A, e] assumption Hensel-RSA [A, e, 2] 
is hard. 


3.1 A Flawed Solution 

In this paragraph we discuss the approach followed by Sakurai and Takagi [12, 
Theorem 2], and we show why it is incorrect. 

As already sketched in the introduction, they propose the following strategy: 
assume, for the sake of contradiction, that one has an oracle O that, on input 
r e mod A, computes r e mod A 2 with some non negligible probability of success 
e. Then, on input a random RSA ciphertext r e mod N, the basic idea of their 
proof is to use such an oracle to compute the least significant bit of r with some 
non-negligible advantage, and then apply the bit-security result of [7]. They 
implement this idea as follows: 
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1. Run 0{r e mod A) and obtain b 0 + biN = r e mod A 2 . 

2. Run 0(( 2~ 1 r) e mod A) and obtain ao + aiA = (2 ~ 1 r) e mod N 2 . 

3. Return 1 as the Isb of r if ao + ai A = 2 _e (f> 0 + biA) mod N 2 holds and 0 
otherwise. 

Finally they claim that the success probability of the above algorithm is e 2 . 
However this is not true. As a matter of fact in order for such an estimate to 
be correct it is crucial to query the oracle on random and independently gener- 
ated inputs. Here, on the contrary, the two inputs are clearly not independently 
sampled. Thus it is not possible to bound by e 2 the probability of success of 
the algorithm 1 . By the way, exactly the same mistake appears in another part 
of the paper [12], more precisely in the proof of [12, Theorem 6], related to the 
one-wayness of another class of probabilistic variants of RSA. 

Furthermore, we note that even if the proof was correct, the reduction would 
be rather inefficient in terms of oracle calls. Indeed, the reduction makes two 
oracle calls to obtain only one bit of information on r, which implies that to 
completely recover r, one has to make at least 2 log A oracle calls. And one also 
has to use the reduction of the bit-security result of [7]. 


3.2 Our Solution 

With the next theorem we propose a general result connecting the difficulty of 
computing the Hensel-RSA function with the hardness of inverting RSA. Specif- 
ically we prove that, given a public exponent of the form e = fN l (for constants 
l > 0 and / > 0 such that gcd(/, A (TV 2 )) = 1), Hensel-RSA [Af, e, t + 2] is hard 
if and only if RSA [A, e] is hard. Note that any valid RSA public encryption 
exponent e can be written in the form e = fN e (where gcd(/, X(N 2 )) = 1), 
unless gcd(e, A) is a non-trivial factor of A, in which case the public exponent 
e would disclose the RSA private key. As already mentioned our proof will fo- 
cus on showing that under the RSA [AT, e] assumption, Hensel-RSA [A', e, £ + 2] is 
hard. Interestingly, our reduction only calls the oracle twice, as opposed to at 
least 2 log A for the (flawed) one proposed by [12]. 

Theorem 1. Given an integer A and an integer e of the form e = fN e where 
f is coprime with A(A 2 ) and £> 0, then Hensel-RSA[N, e,£+2] is hard if and 
only if the RSA[N, e] assumption holds. 

Proof. Assume, for the sake of contradiction, that Hensel-RSA[A, e, £+ 2] is not 
hard. This means that there exists an oracle O that, on input a random challenge 
w = r e mod A, computes r e mod A^+ 2 with some non-negligible probability e. 
Here we will show how to use this oracle to construct a probabilistic polyno- 
mial time algorithm 1 that succesfully inverts RSA with a polynomially related 
probability. 

1 For example it may very well happen that the non-negligible set of inputs for 
which the oracle answers correctly does not contain any couple of the form 
(r e mod N, (2 _1 r) e mod A), and, in such a case, the success probability of the algo- 
rithm would be 0. 
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Assume that we are given as input a random element w = r e mod TV: our 
goal is to compute r. We start by choosing a random a uniformly in Z* N . We then 
call the oracle O twice, on inputs w and (a e w) mod TV. Since the queries w and 
( a e w ) mod TV are independent and uniformly distributed over Z,v (by definition 
of r, w and a), we obtain with probability e 2 the integers r e mod N e+2 and 
p e mod N e+ ' 2 where /i is defined by ji = ar mod TV. 

We may assume that r G Z* N , otherwise either r = 0 or we are able to factor 
TV. Then jj is invertible modulo N (+2 , and there therefore exists z G Zjye+i such 
that: 

ar = ^(1 + zN) (mod N e+2 ) (1) 

Raising to the power e = fN e , we obtain: 

a e r e = n e (l + zfN e+1 ) (mod N e+2 ). 

In this congruence, we know a, r e mod N t+2 and /i e mod N f:+2 : we can thus 
compute zf modulo TV. Since / is coprime with TV, we derive zq = z mod TV. 
Taking equation (1) modulo TV 2 , we obtain: 

ar = fj,( 1 + zoN) (mod N 2 ), (2) 

where only r and n are unknowns both in { 1 .TV 1}. 

To complete the proof, we solve this linear congruence by a lattice reduc- 
tion argument (see for instance the survey [10] for references on lattice theory). 
Consider indeed the following set 

L = {(R, U)GZ 2 :aR = U( 1 + 2 0 1V) (mod TV 2 )}. 

Since L is a subgroup of Z 2 , L is a lattice, whose dimension is obviously equal to 
two. The vector (r, /a) belongs to L and to [1, N — l] 2 . Therefore L n [1, N — l] 2 
is not empty. A classical lattice reduction result (which can be viewed as a 
particular case of integer programming in fixed dimension, see [9]) then states 
that one can compute a vector (r', //') e L D [1, N — l] 2 in time polynomial in 
log TV (because one obviously knows a basis of L whose size is polynomial in 
log TV). Because (r, /z) and (r', //') both belong to L, equation (2) implies: 

rj u! = r' n (mod TV 2 ). 

Since r, /i, r' , \j! all lie in [1, TV — 1], the congruence is in fact an equality over Z: 
r/x' = r'/j. From r' and /T, we can therefore compute the integers r and /i up to 
a multiplicative factor, namely gcd(r, fx). 

We now show that with overwhelming probability, this gcd will be sufficiently 
small that it can be exhaustively searched in polynomial time. To see this, notice 
that the number of pairs (a,/3) G [0,TV — l] 2 which have a common divisor d 
is 0(N 2 /cP) as TV grows, therefore, for any B, the number of pairs (a,/3) G 
[0, TV — l] 2 which have a a gcd > B is at most 0(Y^, d>B N 2 /d 2 ) = 0(N 2 /B). 
Since n and r are both uniformly distributed over Zjv, the probability that 
gcd(/Li, r) > (log TV) /e is 0(e 2 / log TV) by taking B = (log TV)/e 2 . Finally, we 
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proved that with probability at least e 2 — Oie 2 / log N) = e 2 (l — o(l)) over the 
choice of ( a,r ), we can compute in polynomial time r an /j up to the factor 
gcd(r, p) which is < (log N)/e 2 . Thus, we can compute r in time polynomial in 
log N and 1/e, thanks to an exhaustive search over gcd(r, p), since the value of 
r can be checked with w = r e mod N. □ 

As an immediate consequence of Theorem 1 and Lemma 1, we obtain: 

Corollary 1. Given an RSA modulus N together with a public exponent e such 
that gcd(e, X(N 2 )) = 1, the RSAP encryption function is one-way if and only if 
RSA[N,e] is a one-way function. 

Observe that, by setting / = £ = 1 in the parameters of Theorem 1, we get that 
the hardness of Hensel-RSA[1V, N, 3] is actually equivalent to that of RSA [AT, N]. 
To complete the picture, with the next theorem we make explicit the relation ex- 
isting between the one-wayness of Paillier’s encryption function and the problem 
of computing Hensel-RSA with parameters N, N, 2. 

Theorem 2. Given an RSA modulus N, then Hensel-RSA[N,N,2] is hard if and 
only if Classg is hard. 

Proof. Since, for all g such that ord(g) oc N, all the intances of Class g (-) are 
computationally equivalent, we will prove the theorem for the case in which 
g = 1 + N (note that 1 + N has order N in Z^ 2 ). 

First assume that a random ciphertext c = (1 + mN)r N mod N 2 is given. 
Our goal is to compute to using an oracle that, when receiving an input of 
the form y N mod N returns as output the value y N mod N 2 , with probability e 
(non negligible) . Thus when the oracle is given the value c mod N, it will answer 
( ‘Vc mod N) N mod N 2 with probability e. Note that this value corresponds to 
r N mod N 2 (Observe that this is true even in the case in which r is greater than 
N). From r N mod N 2 and r N mod N it is easy to compute to. 

Conversely, assume we are given an oracle than on input a random c £ Z* N2 
computes the class of c with respect to the base (1 + N) (again we denote by e 
the probability of success of the oracle). Now we would like to compute, for a 
random challenge r N mod N, the corresponding r N mod N 2 , using the provided 
oracle. 

Let us consider the value 


d = (r N mod N) + kN 

Where k <— Zjy. Note that, since r N mod N is uniformly distributed in Z* N and, 
being Z'^ r2 isomorphic to Z* N xZ» [11], d is uniformly distributed in and 
can be written (univoquely) as 

d = r N ( 1 + mN) mod N 2 

extracting to from d (via the given oracle) thus leads to compute r N mod N 2 . 
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Remark 1. At PKC’01 Damgard and Jurik [6] presented a generalized (and still 
homomorphic) version of Paillier’s basic cryptosystem in which the expansion 
factor is reduced and the block length of the scheme may be changed without 
altering the public key. Moreover they show that such a variant is as secure as 
Paillier’s construction. 

The result presented in Theorem 2 above, can be generalized to connect 
the one-wayness of the Damgard-Jurik construction and the hardness of Hensel- 
RSA with appropriate parameters. Details are deferred to the final version of 
this paper. 

4 The Discrete Log Case 

In this section we extend our results to the discrete logarithm function. Let 
co € PlZIM£S{k) and g £ Z p an element of order u> in Z*, where p is a prime 
(note that co must divide p — 1). We introduce the following, computational, 
problem: Given p, g, u> and h = g x mod p, compute h! = g x mod p e . 

Formally we define the function: 

Hensel — Dlog[p, g, £}(g x mod p) = g x mod p l 

We will assume this function to be not computable in probabilistic polynomial 
time. 

Definition 3. Let n(-) be a polynomial, we say that computing the function 
Hensel-Dlog[p, g,£](g x modp) is hard if, for every probabilistic polynomial 
time algorithm A, there exists a negligible function neglQ such that 

'w <- VTllM£S(k) 
p <r- V7llM£S{n{k)) s.t. p 
Pr g<-%l S.t. ord(g) = u> 
x <— Z w ; h = g x mod p; 

A(N, g, h, co, £) = g x mod p 

With the following theorem we relate the hardness of the function Hensel- 
Dlog, to the hardness of the Discrete Logarithm function. 

Theorem 3. Let co be a k-bit random prime and p, such that p — 1 oc w, a 
prime whose size is polynomially related with k. Given g of order co in Z* p 
and co, Hensel-Dlogfp, g,£] is hard if and only if the discrete logarithm in the 
subgroup spanned by g in Z* is a one-way function, where £ is defined as the 
unique positive integer such that g w ^ 1 (mod p ( ) and g w = 1 (mod f/ -1 ). 

Proof. We follow the proof of Theorem 1. Assume, for the sake of contradiction, 
that Hensel-Dlog[p, g,£] is not hard. This means that there exists an oracle O 
that, on input a random challenge h = g x mod p uniformly distributed over the 
subgroup spanned by g, computes g x mod p e with some non-negligible proba- 
bility e. Here we will show how to use this oracle to construct a probabilistic 
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polynomial time algorithm X that succesfully extracts discrete logarithms in base 
g modulo p with a polynomially related probability. 

We are given as input a random element h = g x mod p: our goal is to com- 
pute x. We start by choosing a random a uniformly in Z* . We then call the 
oracle O twice, on inputs h and h a mod p. Since the queries h and h a mod p are 
independent and uniformly distributed over the subgroup spanned by g (because 
w is prime), we obtain with probability e 2 the integers g x mod p l and g 1 ' mod p ( 
where p is defined by p = ax mod uj. 

Because 0 < a < uj and 0 < x < uj, there exists an integer r such that 
ax = p + ruo and 0 < r < uj. We obtain: 

gax = gVg™ (mod p e ) . 

From g x mod p e and g 1 ' mod p e , we therefore derive g rw mod jr . Besides, l is 
such that g u ^ 1 (mod p f: ) and g u = 1 (mod f/ _1 ). One can therefore compute 
an integer z £ Z p such that: 

g w = 1 +p e ~ x z (mod p e ). 


Then: 

g r0J = 1 + p e ~ 1 rz (mod p l ). 

Hence, we can compute r mod p, and since 0 < r < cj < p, we know r exactly. 

Now, in the equation ax = p+rui, only the integers 0 < x < ui and 0 < p < u 
are unknown. We have: 

ru> (r + l)w 

— < x < — . 

We thus obtain an interval of length u>/a containing x. We now show that with 
overwhelming probability, this interval will be sufficiently short to be exhaus- 
tively searched. 

Indeed, with probability at least 1 — e 2 /log uj over the choice of a, we have 
a > e 2 u>/\ogu), which implies that 0 < uj/a < (logu)/e 2 . It follows that with 
probability at least e 2 — e 2 j log uj = e 2 ( 1 — l/logw) over the choice of (r, a), we 
have 0 < u/a < (log oj) /e 2 and the outputs of the two oracle calls are correct. 
Then, by exhaustive search over at most (log uj) /e 2 < k/e 2 possibilities, we 
obtain x (the correct value can be recognized by the congruence h = g x (mod p)). 
Thus, with probability at least e 2 (l — l/logw) = e 2 (l — o(l)) (as k grows), we 
can compute x in time polynomial in k and 1/e. □ 


5 Conclusions 

In this paper we introduced two new functions and we studied their computa- 
tional properties by relating them to the problems of inverting RSA and com- 
puting discrete logarithms. Moreover we formally proved that the one-wayness 
of the RSA-Paillier scheme [4] is actually equivalent to that of RSA, thus fixing 
an incorrect proof recently proposed by Sakurai and Takagi [12]. 
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There axe several open questions arising from this research. It would be nice 
to know whether it is possible to further extend our results to discover the 
exact relation existing between Paillier’s Class assumption and RSA[1V, N]. An- 
other intriguing direction may be to try to improve our understanding about 
the hardness of the Hensel-Dlog function, and to find cryptographic applica- 
tions. We proved that if one can compute g x mod p e from g x mod p (in the case 
when g w = 1 mod p but g w ^ 1 mod p ( ) then one could compute the discrete 
logarithm function over the subgroup spanned by g. This implies that computing 
g x mod p e ~ x from g x mod p may be potentially easier than computing discrete 
logarithms in the subgroup spanned by g. 
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Abstract. Since the first use of a p-adic method for counting points 
of elliptic curves, by Satoh in 1999, several variants of his algorithm 
have been proposed. In the current state, the AGM algorithm, proposed 
by Mestre is thought to be the fastest in practice, and the algorithm 
by Satoh-Skjernaa-Taguchi has the best asymptotic complexity but re- 
quires precomputations. We present an amelioration of the SST algo- 
rithm, borrowing ideas from the AGM. We make a precise comparison 
between this modified SST algorithm and the AGM, thus demonstrating 
that the former is faster by a significant factor, even for small crypto- 
graphic sizes. 


1 Introduction 

In the design of an elliptic public key cryptosystem, parameter initialization is 
a difficult task; it is required to count points of curves until one is found with 
almost prime group order. In the early ages of elliptic curve cryptography, the 
only way to achieve this was to use curves with special properties like having 
complex multiplication by a small discriminant or being supersingular, though 
taking random curves might be seen as the most secure. The first polynomial 
time algorithm for point-counting was designed in 1985 by Schoof ED. but was 
not fast enough to deal with cryptographical sizes. A decade of theoretical and 
practical improvements by Atkin, Couveignes, Dewaghe, Elkies, Lercier, Morain, 
Muller lead to a situation where point-counting was efficiently feasible for cryp- 
tographical sizes (see the survey P and the references therein). However, the 
cost of parameter initialization remained high (in runtime and in complexity of 
programming) compared to other systems like RSA or XTR. Situation changed 
in 1999 when Satoh jS| proposed a new algorithm for counting points of ellip- 
tic curves over finite field of small characteristic. His method is based on the 
computation of the canonical lift of the curve in a p-adic local ring. The theoret- 
ical complexity is asymptotic better than all the variants of Schoof’s algorithm. 
Further work by Fouquet-Gaudry-Harley EE], Skjernaa [12] ■ Vercauteren et al. 
P|, Satoh-Skjernaa-Taguchi |9l I III . Hae Young Kim et al. p made this algo- 
rithm practical, in particular in characteristic 2, which is the most important in 
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practice. Another closely related method, based on the algebraic-geometric mean 
(AGM) was found by Mestre, and an implementation by Harley 0 proved it to 
be very efficient. For a curve over F 2 n , the complexity of all these method is in 
0(n 3+e ), except for the Satoh-Skjernaa-Taguchi (SST) method which achieves 
a complexity in 0(n 2 ' 5+e ) but requires precomputations. 

In characteristic 2, with the current state of the art, AGM is thought to be 
the fastest for cryptographical sizes, due to a very small constant, and is also the 
best algorithm for computing records. The first drawback of the SST algorithm 
is the precomputation stage which is not feasible for records, but this is not at all 
a problem for cryptographical sizes, where this is easily doable and the storage 
of the precomputed data is manageable. Another problem in the SST method 
is that the defining polynomial for the local ring is dense, thus increasing the 
cost of a multiplication by a factor of 3 compared to the sparse structure used 
in AGM. 

Our contribution is two-sided: firstly we mix ideas of SST and AGM to get 
what we call the modified SST algorithm (MSST) which is faster by a constant 
factor compared to the original SST algorithm. Our improvement modifies only 
the lifting phase; the norm computation which is common to both algorithm is 
not modified. Then we make a precise comparison between MSST and AGM 
algorithms, based on an evaluation of the number of operations required at each 
precision. This turns out to be in favor of MSST, even for small cryptographical 
sizes, as confirmed by some experiments we did on a Pentium III: for curves over 
F 2 i63 we get a speed-up by a factor of 4.15 and for curves over F 2 239 the factor 
is 4.90. 

The paper is organized as follows: in Section 2 we recall some basics and fix 
notations. In Section 3 and 4, we give a brief description of the original SST and 
AGM algorithms. Section 5 is devoted to the mix of SST and AGM algorithms. 
Section 6 contains a theoretical comparison between MSST and AGM methods, 
and Section 7 contains the numerical experiments. 

2 General Setting and Notations 

Let F g be a finite field of characteristic 2, and let n be such that q = 2". Let E 
be a non-supersingular elliptic curve over F ? . For the purpose of point-counting, 
without lost of generality, and perhaps considering the quadratic twist of E, we 
can assume that E has an equation of the form y 2 + xy = x 3 + a§. Then its j- 
invariant is given by j = a^ 1 . Denote by N the group order of E. The trace of E 
is defined by Tr(.E) = q+l — N and Hasse’s theorem states that |Tr(A)| < 2 y/q. 

All the p-adic point-counting methods proceed in the same way: lift some 
data from F g to a p-adic local ring with enough precision, and deduce a p-adic 
approximation of the Tr(S) which might be enough to conclude due to Hasse’s 
bound. 

In our case, the 2-adic local ring we shall consider is the ring of integers of 
the degree n unramified extension of Q 2 . In the following we denote this ring by 
Z q (noted W(¥ q ) in some papers, or simply R in [TTij 1 . Note that Z g has nothing 
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to do with Z/gZ, just like the ring of 2-adic integers Z 2 is not Z/2Z. The ring 
Zq is equipped with a cyclic Z 2 -automorphism of order n which reduces to the 
2-nd power Frobenius automorphism of F g . 

We give a constructive way to see the ring Z 9 . Let /(f) be the irreducible 
polynomial of degree n over F 2 chosen to define F 9 = F 2 [t]/(/(t)). Consider 
any monic polynomial /(f) with coefficients in Z 2 which reduces to /(t) mod- 
ulo 2. Then /(t) is irreducible and Z g can be defined by Z q = Z 2 [t]/(/(t)). 
Different choices for the polynomial /(t) lead to isomorphic rings. From an al- 
gorithmic point of view two strategies can be used: choosing a sparse f(t) with 
small coefficients speeds up the basic arithmetic, because the reduction modulo 
/(t) is almost for free; this is the representation used in the AGM algorithm. 
On the other hand, lifting /(t) in a careful way can give a representation in 
which the Frobenius substitution is efficiently computable, the price to pay is a 
dense polynomial /(t), hence a non-negligible reduction modulo /(t); this is the 
representation used in the SST algorithm. 

2.1 Notations in Z q 

The ring Z q comes with the natural “reduction modulo 2” homomorphism onto 
Fq. For x £ Zq, the notation x mod 2 means the element of F q image of x by 
this homomorphism. The ring Z q also comes with a valuation. Let x and y be 
elements of Z q ; the valuation of (x — y) is high when x and y are close to each 
other. More precisely, the valuation of (x — y) is k if (x — y) is in 2 fc Z q ; then we 
write x = y mod 2 fc Z q , or simply x = y mod 2 k . 

In an algorithm, when we say “compute x := . . . mod 2 fe ”, this means that 
the expression for computing x involves quantities which are known to precisions 
such that the result is known to precision at least k. The variable x is then 
assigned an element which is congruent to the result modulo 2 k . 

We use the same notation a for all kinds of 2-nd power Frobenius action: 
ring/field automorphisms of F q and Z q , and also their coordinate- wise extensions 
to isogenies from an elliptic curve to its conjugate. There should be no confusion, 
because all the domain of these maps are distinct and all the reduction-diagrams 
involving two of these <r commute. 


2.2 Canonical Lift of an Elliptic Curve 

It is easy to find many curves over Z q whose equations reduce to the equation 
of E modulo 2. However, there is a canonical way to do it and keep information 
on the group order. 

Theorem 1 (Lubin— Serre— Tate). Let E be a non supersingular elliptic curve 
over Fq. Then, up to isomorphism, there exists a unique curve £ defined over 
Zq, such that: 


1. The equation of £ reduces to the equation of E modulo 2; 

2. End(F) End(E). 
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A consequence of this theorem is the following commutative diagram 


£ 



where a on the top arrow is the 2-nd power Frobenius isogeny from £ to £ a . 
This isogeny being of degree 2, the modular equation of degree 2 relates the 
j-invariants of the canonically lifted curves: 

*2(j(£),j(n) = o, 

where <£2 (A, Y) is the symmetric bivariate polynomial 

X 3 +Y 3 - X 2 Y 2 + 1488 (XY 2 + X 2 Y) - 162000(X 2 + Y 2 ) 

+ 40773375XY + 8748000000(A + Y) - 157464000000000. 

Notation: Let c be an element of h q and let c be its reduction modulo 2. If c is 
not the j-invariant of a supersingular curve, then we denote by the j-invariant 
of the canonical lift of an elliptic curve whose invariant is c. 

3 Satoh— Skjernaa— Taguchi Algorithm 

We do not describe all the details of the SST algorithm: we concentrate on the 
main two steps: firstly the j-invariant of the canonical lift of E is computed to 
some precision, then the norm of a quantity is computed, yielding the trace. We 
refer to the original paper [Ej for a description of the missing steps. 

3.1 Canonical Lifting of the j-Invariant 

We are given j(E) in F 9 \F 4 , and we want to compute j(£). The value of j(£) is 
determined one bit after the other: assume that we know J such that J = j (£) 
mod 2 fc , then writing j(£) = J + 2 fc e, and plugging it formally into the equation 
^ 2 (j(£),j(£ CT )) = 0, one gets an equation yielding e modulo 2. Hence we have 
gained one bit on the approximation of j(£). 

For a more precise setting, we take a Taylor expansion: 

0 = $ 2 (j(£),j(£)°) = $ 2 (J + 2 fe e, J° + 2 k e°) 

= $ 2 (J, J a ) + 2 k ed x $ 2 (J, J a ) + 2 k e cr d Y $2{J, J a ) + 2 2k ~ 1 (element ofZ q ). 

In this equation, J a ) is zero modulo 2 k , we can therefore divide every- 
thing by 2 k . Furthermore the Kronecker relation implies that dx $2 (J, J a ) is 
zero modulo 2 and that dy$ 2 (J, J a ) is different from zero modulo 2. Finally we 
have e a = e 2 mod 2 and we get 
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Algorithm 1. 

Input: j and a desired precision k. 
Output: y to precision k. 

1. d:= l/drM*- 1 ®,]); 

2- y-=j; 

3. For i from 1 to k — 1 do 

4. x:=a~ x {y) mod 2 l+1 ; 

5. y y — d$ 2 (x,y) mod 2 l+1 ; 

6. Return y; 


To turn this into an algorithm, we need to apply a to elements of 1 q . For this, 
the polynomial defining Z g over Z 2 is chosen such that its roots are (q — l)-th 
roots of unity. This polynomial is precomputed once for all, for each base field. 
Hence Frobenius substitution is just reordering the coefficients and reducing 
modulo the defining polynomial (see 0 for details). 

Then we get the following first lifting algorithm: (inverse of Frobenius is used, 
thus saving the computation of the square root of e in the previous formula) 

In a point counting context, we need k « Running the i-th loop requires 
1 Frobenius substitution and 0(1) multiplications of elements of Z q at precision 
2 l+1 . Therefore the cost of Algorithm 0 is in 0(n 1+2,i ) bit-operations, which is 
the cost of other lifting methods. Here /r is a real such that multiplication of k 
bit objects can be done in time 0(A: /i ). 

When looking at what is going on in Step 5, we see that $ 2 (x, y) is very close 
to zero and only the small non-zero piece of information is used to update y. It 
looks sub-optimal to recompute all the time ^ 2 (x,y) from scratch: the values of 
x and y at step i + 1 are close to the ones at step i, therefore <P 2 (x,y) at step 
i + 1 can be deduced from its value at step i and some adjustment involving 
partial derivatives. By precomputing the partial derivatives modulo 2 W , one can 
update $ 2 (x,y) during W iterations, then one needs to recompute one time 
( I> 2 {x. y) from scratch before doing again W iterations with only cheap updates. 
These ideas yield the SST lifting algorithm, a sketch of which is reproduced in 
Algorithm 0 

In it is shown that Algorithm 0 runs in time O(A 2 ^+ 1 /0 J + 1 )), when one 
chooses W = n 1 '/ - 1 . Therefore, it is always better than Algorithm 0 because 
y > 1. If an FFT-based multiplication algorithm is used, y = 1 + e, and we get 
a complexity of 0(n 2 ' 5+e ). 

From the lifted j, a quantity can be derived which is a rational fraction in j, 
such that the norm of this quantity gives the trace of E. 

3.2 Fast Norm Computation 

In 01 a fast norm computation is described, that is well-suited to the case of 
point-counting in characteristic 2. It is based on the following equation: 
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Algorithm 2. SST canonical lifting 

Input: j and a desired precision k; a parameter W. 

Output: j' to precision k. 

1. y \= mod 2 W , computed via Algorithm QJ 

2. D x := dx$ 2 (a~ 1 (y),y) mod 2^; 

Dy ■■= dv^ 2 {cr~ 1 (y),y) mod 2 W ; 

3. For m from 1 to do 

4. Lift arbitrarily y modulo 2 < - m+r,w ; 

5. V :=^ 2 (tr _1 ( 2 /), 2 /) mod 2 < ^ m+1 '> w -, 

6. For i from 0 to W — 1 do 

7. Compute y := j* mod 2 rnW+l+1 : 

8. Update V:= $ 2 (cr _1 (2/),y) mod 2 mW+i+1 - 

// Steps (7) and (8) use only operations modulo 2 W ; 

9. Return y; 


Norm(a;) = exp(Tr(log(a:))), 

which holds whenever log and exp converge. Computing a trace is far easier than 
computing a norm, and the subsequent exponential is very cheap. Therefore the 
main cost is a log evaluation, which is performed by fast evaluation of power 
series. We refer to the original paper for details, and will not discuss this part 
anymore, since the norm computation is a step which has to be done for any 
variant of the algorithm, and it is not the place where one is better than the 
other. 

4 AGM Algorithm 

We recall here the principles of the AGM algorithm. We give no proof of the 
results, they can be derived in the similar manner as for the other point-counting 
algorithms and are out of the scope of this paper. 


4.1 The Arithmetic-Geometric Mean (AGM) Sequence 

Let a s be an element of F* and let E be the curve of equation y 2 + xy = x 3 + a e 
with j-invariant j(E) = a 6 -1 . We denote also by ae an arbitrary element of 
Z q that reduces to ae modulo 2. We then have recursive formulae which give a 
well-defined sequence (Aj,5j) of elements of Z q : 

A 0 = 1 T 8a 6 , B 0 = 1, 

A i+1 = ^A?i, B i+1 = ^Bi, 

where the square root is chosen to be congruent to 1 modulo 4. Indeed, by 
induction, we show that if A, : = B, = l mod 4 and fl = 1 + 8a for an invertible 
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a, then the squareroot is possible to be taken and if the one which is chosen is 
congruent to 1 modulo 4, the same properties hold at step * + 1. 

This sequence (Ai,Bi) is called the AGM sequence and we can associate to 
it the sequence of elliptic curves Ei of equations y 2 = x(x — A 2 )(x — Bj). We 
denote by j t the j-invariant of the curve E,. 


4.2 Link with Canonical Lifting 

It is well known that AGM is linked to isogenies of degree 2 between elliptic 
curves. This in turn gives a link with the canonical lifting as follows: 

Theorem 2. Let ji be the j-invariant of the curve E \ attached to the AGM 
sequence. Then the sequence ji verifies: 

jo = ag 2 mod 2, 

ji+ 1 = jf mod 2, 

ji=j\ mod 2*+ 2 . 

The first assertion shows that Eq is isomorphic to the conjugate of a lift of 
the initial curve E modulo 2. The second relation states that all the curves Ei 
also reduce modulo 2 to conjugates of the curve E (up to isomorphism). The 
third one is the heart of the AGM algorithm: it means that when progressing 
along the AGM sequences, we get closer and closer to the canonical lift. 

This yields immediately a straightforward algorithm for computing the canon- 
ical lift. Starting with the initial values of (A 0 ,-B 0 ), we apply the recursive for- 
mula to compute successive values of (A,,.Bj). After k steps, we can compute 
the j-invariant of the associated curve which is close to the canonical lifting of 
a conjugate of E up to precision about 2 k . 

The link with the trace is given by the following result: 

Theorem 3. Let i > 0 and let Ci be Norm Zij / Zp j ■ Then 
G + ^ = Tr (E) mod 2 i+4 . 

A point-counting algorithm follows easily: one computes the AGM sequence 
with enough steps, then a norm computation gives the trace of the initial curve 
up to some precision which is equal to the number of steps plus a constant. A 
practical complication arises: on a computer one cannot really deal with elements 
of Z q , but with truncated ones. At first sight, it seems that we need a high 
starting precision for A 0 and B 0 , because we get less and less significant digits 
on Ai and Bi when at the same time the j t gets closer to the canonical lift. This 
problem can be overturned by adding arbitrary noise to Aj and Bi just before 
doing an operation which “loses” precision like a square root or a division by 2. 

After having cleaned the details we get the following algorithm: 
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Algorithm 3. AGM point-counting 

Input: as in . 

Output: Trace of the curve y 2 + xy = x 3 + <Z6. 

1. a := 1 + 8a6 mod 16; b := 1 mod 16; k := 4; 

2. Repeat until k = |"f] +3: 

3. Lift arbitrarily a and 6 modulo 2 fc+2 ; 

4. (a, 6) := mod 2 k+1 , Vab mod 2 fc+1 ^; 

5 . k:=k + l; 

6. a' := 

7. Return Norm( “ ) mod 2^ U+ 2 a s a signed integer in 
[—2^,2^]. 


4.3 Runtime Analysis 

The AGM algorithm requires 0(n) operations between elements of Z g with max- 
imal precision in O(n), and then a norm computation. As said before, the norm 
computation will not be discussed here, because it is the same in every algorithm. 
The cost of the lifting process is in 0(n 1+2/ *), which is the same as Algorithm 1. 
Hence Algorithm 2 by Satoh-Skjernaa-Taguchi is asymptotically faster than the 
AGM for the lifting phase (but requires precomputation). However the AGM al- 
gorithm has a very low constant, due to the small number of operations at each 
step and the fact that a sparse defining polynomial for Z q can be used. The 
figures given in PHI suggest that for cryptographical sizes, AGM remains faster. 

5 AGM-Aided SST Algorithm 

The AGM algorithm as stated before does not appear to be mixable with the 
SST idea. Therefore, before doing so we need to rewrite it in a univariate way 
to reveal the hidden modular equation which can then be used instead of ( I J 2 in 
the SST algorithm. This is also this version of the AGM algorithm that we shall 
use for the comparison and the implementation in the next sections. We do not 
expect any speed difference between the univariate and the bivariate AGM. 

5.1 Univariate AGM Algorithm 

Taking again the AGM sequence as a starting point, we define a new sequence 



The corresponding curves have equation y 2 = x(x — l)(x — X 2 ). An easy compu- 
tation shows that A, :+1 can be computed directly from A j by 
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Another important fact is that Aj + i = Af mod 2* +4 , which corresponds to the 
fact that we are jumping from a curve to an approximation of its conjugate. 
The corresponding univariate AGM algorithm is as follows: 


Algorithm 4. Univariate AGM 

Input: 06 in . 

Output: Trace of the curve y 2 + xy = x 3 + 06 - 


A := 1 + 806 mod 16; k := 4; 
Repeat until k is + 3: 

Lift arbitrarily A modulo 2 k+2 ; 

A :== ivA mod2fe+1 ; 

k : — k + 1; 

Return Norm(j^) mod 2^S1+ 2 

[— 2 \/ 2 ™, 2 \/ 2 "]. 


signed integer in 


Implementation of the Square Root. The main step of this algorithm is 
Step (4) in which we have to compute the inverse of the square root of A and 
to multiply the result by The inverse of the square root is computed via 
a Newton iteration that can be done without inversion. First we note that A is 
always of the form A = 1 + 8a mod 16. Then ^ = 1 — 4a mod 8, and this will 
be the initialization of the lift. Then the iteration is 

x n+1 := x n + y( 1 _ Aa£). 

If for some n, x n is congruent to modulo 2 k , then one can show that x n+ \ is 
equal to 4= modulo 2 2fc_1 (see for instance Lemma 2.7 in |2J). 


5.2 Modified Modular Equation 

In the previous algorithm, the A t which is computed at the last step of the loop 
is (the conjugate of) a solution of the following equations: 

Z = 1 + 8a 6 mod 16, 

(Z tT ) 2 (l + Z) 2 -4Z = 0 mod 2\ 

But this is precisely this kind of system that SST algorithm is meant to solve. It 
remains to remove the leading non-significant bits in A, and to prove the same 
result on partial derivatives that made Algorithm 1 work. 

Let E(X,Y ) be the AGM modular equation: 

E(X, Y) =Y 2 ( 1 + X) 2 - 4X = 0. 
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We make a change of variables X <— 1 + 8X, Y <— 1 + 8Y, and the modular 
equation becomes: 


E(X, Y) = (X + 2Y + 8 XY) 2 + Y + 4 XY = 0, 


which has to be solved, subject to the conditions that X is known and non-zero 
modulo 2 and Y = X a . 

The partial derivatives of E evaluated at ( X , Y) give 


d x E(X, Y) = 2(X + 2Y + 8XY)(1 + 8 Y) + 4 Y 
dvE{X , Y) = (1 + 4X) (1 + 4(X + 2Y + 8JTY)) 


This proves that dxE(X, Y) is congruent to 0 modulo 2, whereas dyE(X, Y) 
is 1 modulo 2, thus yielding the required asymmetry for the SST algorithm to 
converge. Note also that the partial derivative with respect to Y is 1 modulo 2, 
so that it is no longer necessary to compute d in Step (1) of Algorithm □ 

5.3 Modified Satoh-Skjernaa-Taguchi (MSST) Algorithm 

According to the previous section, it is possible to use SST algorithm to compute 
the lifted invariant of the curve (or more precisely some kind of Legendre’s 
invariant of the canonical lift of the curve) . It remains to compute the data whose 
norm will give the result. This is actually much simpler than in the original SST 
algorithm: transposing the results of the AGM method, we can see that if A is a 
solution of E(X,X a ) and A = ae mod 2 then the following holds: 



mod 2 n . 


We obtain Algorithm 0 

The advantage of the MSST algorithm is 2-sided: firstly the modular equation 
is smaller thus reducing by a constant factor the number of operations, secondly 
the intermediate step between the lift and the norm does not exist any more, 
thus simplifying the code and giving a slight speed-up. 

6 Theoretical Comparison 

The MSST algorithm is always faster than the plain SST algorithm because it 
involves strictly less operations. It remains to compare it to the AGM algorithm. 

6.1 Constraint Environments 

In a constraint environment it might be preferable to choose an algorithm for 
which no precomputation need to be stored and the RAM requirement stays low. 
In this context, the AGM algorithm (with the norm computation replaced by 
an extra loop) is by far the best choice. However, one should keep in mind that 
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Algorithm 5. MSST point-counting 

Input: 06 in . 

Output: Trace of the curve y 2 + xy = x 3 + 06 - 

1. y := 06; // arbitrary lift to 2 W . 

2. For i from 1 to W — 1 do 

3. x:=(T^ 1 (y) mod 2 l+1 ; 

4. y:=y — E(x,y) mod 2 ,+1 ; 

5. x:=a~ 1 (y) mod 2 W ; 

6. Dx := dxE(x,y) mod 2^; Dy := dyE(x, y) mod 2 W ; 

7. For m from 1 to do 

8. Lift arbitrarily y modulo 2 l - rn+1)W : 

9. x:=a~ 1 (y) mod 2 ( - m+1)w ; 

10. V:=E(x,y) mod 2 (m+1)w ; 

11. For i from 0 to W — 1 do // break if i + mW > |"§] 

12. Ay := —2~ mW V mod 2 W ; 

13. A x '^(T-^Ay) mod 2 W ; 

14. y :=y + 2 rnW Ay mod 2 (m+1)wr ; 

15. V := V + 2 mW (DxA x + EyAy) rnod2 (m+1)w/ ; 

16. Return Norm( 1 ^ Ay ) mod 2^1+ 2 as a signed integer in 
[— 2\/2™, 2\/2”]. 


for a reasonable key-size, the amount of precomputed data to be stored for the 
SST algorithm is not so high: this is essentially two elements of Z g at maximal 
precision; for instance, for F 2163 , it is only a few kilo-bytes. This might be too 
much for a smart card, but this is not a problem on a PDA. 

We consider as unlikely that someone really wants to count points in a highly 
constraint environment. Indeed, this kind of computation is required during the 
setup of the system parameters and the result does not need at all to be secret. 
Hence a card can ask to the server to do the computation if a new parameter 
setting is required. 

In the following, we shall therefore concentrate on the case where we have no 
constraints and a machine word size of 32 bits (still the most common for PC’s). 

6.2 Assumptions 

We recall that we are interested in cryptographically useful sizes. In that case, 
it has been shown in PH that in the SST algorithm it is not worthwhile to use 
a W parameter different from the machine word size. Therefore we shall always 
consider that W = 32 is the optimal parameter for the MSST algorithm. 

Another assumption we make is that multiplying integers of size less than 
the machine word size is not significantly faster than multiplying integers of size 
exactly the machine word size. At first sight, this assumption looks reasonable 
since the assembly instructions for multiplying bytes or short integers usually do 
not require much less cycles than the instruction for long integers. In fact this 
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is a bit misleading because in both AGM and MSST algorithms several of these 
operations are parallelizable, one could therefore pack several small integers in 
a word size integer and perform several multiplication at once, or one could 
also use specific multimedia instruction like the MMX or SSE2 instruction set 
in the case of the Pentium. Using those could speed-up both the algorithms 
and we shall consider that we do not penalize one or the other by always using 
machine-word-size arithmetic. 


6.3 Cost Analysis 

In this section we compare the lifting parts of the AGM and the MSST algo- 
rithm. In MSST, we use a dense defining polynomial for Z 9 in order to speed-up 
the Frobenius substitution computation. Therefore the reduction modulo the 
defining polynomial subsequent to a multiplication or a square is costly. On the 
other hand, in the AGM we have no Frobenius substitution to perform and it is 
possible to use a sparse defining polynomial, leading to an almost free reduction. 
Therefore, reductions will be counted in the MSST algorithm whereas we shall 
neglect them in the AGM. In MSST, with the dense polynomial, Frobenius sub- 
stitution can be done at a cost of roughly one multiplication and one reduction, 
as explained in |SJ. We do not count additions and other simpler operations. 
We use the following notations for the basic operations in Z g : 

P : unreduced product 
S : unreduced square 
R : reduction modulo defining polynomial 

Furthermore, we can add an index i to each of these symbols to indicate the 
number of W-bit-digits of each operand. 


MSST Algorithm. The cost to evaluate the modular equation E is P+S+2R. 
Each of its partial derivatives can be evaluated at a cost of 2 P + 2 R, and if one 
wants both derivatives, one can share the result of one product and get a cost 
of 3 P + 3 R. 

Steps (2)-(4) cost (W - l)(2Pi + Si + 3Pi). 

Steps (5)-(6) cost 4Pi + 4Pi. 

Next we analyze the cost of Steps (8)-(15) for each value of m: 

Steps (9)-(10) cost 2P m+1 + S m+ 1 + 3P to+ i- 

Steps (12)-(15) cost W(3Pi + 2Ri). Indeed, the multiplications by powers of 
2 are for free, and one reduction can be saved at step (15). Actually, as explained 
in P|, some operations could be done on one bit operands. 

If we need to lift to precision k, the total cost of MSST is then 

(3k-W+2)P 1 +(2k+W+l)R 1 +(W-l)S 1 + (2P ro +i+S m+ i+3P TO+ i). 


We then apply this formula with W = 32, for two base fields. 


Comparison and Combination of SST and AGM Algorithi 


323 


For F 2 i63, we need a precision k = 82, and we get 
C'msst(163) = 216Pi + 31iSi + 197Pi + 2 P 2 + S 2 T 3i?2 T 2P3 + S3 + 3P 3 . 

For F2239, we need a precision k = 120, and we get 

CWsst(23 9) = 330Pi + 315i + 273Pi + 2 P 2 + S 2 + 3 P 2 + 2 P 3 + S 3 + 3P a 
+2P 4 + S 4 + P 4 . 

Hence we readily notice that for cryptographical sizes, only few operations 
require multiprecision arithmetic. 

AGM Algorithm. As said above, we study the univariate AGM instead of the 
bivariate one. The key step is then clearly Step (4), and in this step the crucial 
part is the Newton iteration for computing the inverse of 

x n + 1 := x n + ^(1 — A x ^ ). 

As usual for a Newton iteration, we need to have operations with variable 
precision. If we want to compute x n +i with precision k from x n known at preci- 
sion roughly k/ 2, at first sight it requires one square and two products computed 
modulo 2 fc . However this can be improved: (1 — Xx//) is zero at precision k/2, 
because x n is already a good approximation of the result. Hence when we mul- 
tiply this further by x n , this is actually a multiplication at precision k/2 that 
has to be performed. One step further is explained by Karp and Markstein in 
0: the “self-correctingness” of this iteration allows to compute Xxf with two 
multiplications of an operand at precision k and the other at precision k/2. 

We note however that in our case a square ideally costs roughly one half of 
a product and that this “Full times Half” precision product saves one fourth of 
the operations. Thus the trick of Karp and Markstein does not help in our case. 

Estimating the number of operations in a Newton iteration is not that easy, 
due to the variable precision. To simplify the formulae we shall consider that the 
precision is exactly doubled at each step (whereas in fact one bit is lost). On the 
other hand this is easy to write a short program that emulate the algorithm and 
count the number of operations and the precision required, because there is no 
branching depending on the input data. Hence for a given base field, it is much 
simpler to run this emulation to evaluate the cost. We shall compare the results 
given by both approaches. 

Cost of one lift in single precision. The cost of the Newton iteration to get 
the inverse of the square root at a precision between 2 k ~ 1 and 2 k < W is 
(. k — l)(2Pi + Si). After the lift one has to multiply the result by AtA, w hich 
cost another Pi. 

Cost of the first W iterations. We split the interval [0, W) into pieces where 
the cost of the iterations are the same, and add them all. We get the following 
formula for the cost: 

53 (fc-l)2 fe “ 1 (2P 1 + Si) + WP 1 , 

2<fc<log 2 (W) 
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which simplifies to 

(2 + W(\og 2 (W) - 2)) (2Pi + Si) + WPi. 

Cost of the W iterations between precision W and 2 W. The last step in a Newton 
iteration is done at precision of two W - bit digits and all the others are at precision 
1. Furthermore, for each lift, the number of iteration at precision 1 is always 
(log 2 (IT) — l)(2Pi + Si). Hence the cost of all the second W operations is 

w((log 2 (IT) - l)(2Pi + Si) + Pi + 2P 2 + S 2 ) . 

In this formula, we took into account the fact that in the last iteration at preci- 
sion 2, one operation has only to be done at precision 1. 

Cost of the W iterations between precision 2W and 3W. The last step in a 
Newton lift is done at a precision of 3 digits, thus reducing to compute the 
result at a precision between IT and 1.5W. The penultimate step is therefore 
at a precision of 2 digits, and the remaining steps are done at precision 1. The 
overall cost is then 

ir((log 2 (IT) - l)(2Pi + Si) + Pi + 2P 2 + S 2 + 2P 3 + S 3 ) . 

Cost of the W iterations between precision 3W and 4W. The last step in a 
Newton lift is done at a precision of 4 digits, and the penultimate is done at a 
precision of 2 digits. The others steps are done at precision 1. Hence the following 
overall cost: 

w((log 2 (IT) - l)(2Pi + Si) + Pi + 2P 2 + S 2 + 2 P 4 + S 4 ) . 

Cost of one iteration at a precision of k digits. The Newton iteration starts as 
always by (log 2 (IT) — 1) operations at a precision of 1 digit. Then there are 
0(log 2 (/c)) operations at a precision of at most k digits. Including the cost of 
the multiplication by there is at least 2P /;: + Sfe. 

We apply now our analysis to the same cases than for the MSST algorithm, 
namely n = 163 and n = 239, with IT = 32. 

We get 

C AGM ,th (163) = 696Pi + 306Si + 104P 2 + 52S 2 + 40P 3 + 20S 3 , 

and 

CagmM 2 39) = 1038Pi + 458Si + 180P 2 + 90S 2 + 64P 3 + 32S 3 + 52P 4 + 26S 4 . 
With the emulation program mentioned above we get: 

C A GM,emu{ 163) = 694P 4 + 303Si + 109P 2 + 57S 2 + 45P 3 + 23S 3 , 

and 

C AG M,emu (239) = 1033Pi + 452Si + 188P 2 + 98S 2 + 64P 3 + 32S 3 + 57P 4 + 29S 4 . 

These values are close enough to justify the simplifications we made in our 
analysis. 



Comparison and Combination of SST and AGM Algorithi 


325 


6.4 Comparison 

We first compare the cost of the lifting up to precision W = 32, where all the 
operations that take place are single precision. We have to compare 

62Pi + 31S 1 + 93#! and 228Pi + 98Si. 

This clearly depends on the relative costs of R\ and Pi. It is always possible 
to do a reduction at the cost of two products, once a small precomputation is 
done (see m , page 247). Hence f?i < 2Pi. Note that in our implementation 
(see below) we got a ratio close to 1.5. Also Si is usually about 1.5 faster than 
Pi. With these ratios, the advantage is on MSST side. 

Next, we compare the costs for gaining W bits of precision at a higher level. 
This corresponds to one iteration of Steps (8)-(15) in MSST or W loops of AGM. 
Let k be the number of digits corresponding to the precision. In MSST, the cost 
is 

2 P fc + S k + 3 R k + 96 Pi + 64i?!, 
whereas in AGM we have 

64P fe + 32 S k 4* , - • + 256Pi + 1285i, 

where the dots contain operations at a precision strictly between 1 and k digits. 

Hence MSST is clearly faster than than AGM, and the difference increases 
with the size of the basefield, due to the higher number of operations at multi- 
precision in AGM. 

7 Practical Experiments 

We implemented the MSST and the univariate AGM algorithm in the C pro- 
gramming language, using the GNU MP library £]] for the low-level integer mul- 
tiplications. Multiplications in Z q are done via Karatsuba algorithm. We wrote 
specific code for the machine word-size precision because in that case many 
things are simplified and this is critical in both algorithms. We give timings for 
two field sizes: n = 163 and n = 239. All the experiments are made on a Pentium 
III at 700 MHz running Linux. The compiler is gcc version 2.96. 


Field size 

Precision 

Product 

Square 

Reduction 

163 

1 word 

0.11 ms 

0.07 ms 

0.14 ms 


2 words 

1.4 ms 

0.92 ms 

2.3 ms 


3 words 

1.8 ms 

1.3 ms 

3.6 ms 

239 

1 word 

0.21 ms 

0.13 ms 

0.29 ms 


2 words 

2.5 ms 

1.7 ms 

4.9 ms 


3 words 

3.4 ms 

2.3 ms 

6.8 ms 


4 words 

5.4 ms 

4.5 ms 

10.8 ms 
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Field size 

Lift MSST 

Lift AGM 

Norm computation 

Total MSST 

Total AGM 

163 

0.08 s 

0.49 s 

0.05 s 

0.13 s 

0.54 s 

239 

0.26 s 

1.82 s 

0.14 s 

0.40 s 

1.96 s 


We see that at low precision, we were able to get a reduction step faster than 
two times a product. For the two given field sizes, the ratio between the two lifted 
methods is a factor of 6 to 7 in favor of the MSST algorithm. We implemented the 
norm computation to get significant runtimes for the complete point-counting 
computation. However this part is not as well optimized as the first step and 
the runtime we give might be improved. We only mention that in case of MSST 
algorithm, after the lift, we switch to the sparse representation before calling the 
same norm routine as the one used for AGM. This base conversion can be made 
very quick by precomputing the corresponding matrix. For cryptographical sizes, 
this matrix fits easily in a few mega-bytes, but for records, this strategy is not 
feasible. For the complete computation, the overall gain we have by choosing 
MSST instead of AGM is respectively by a factor of 4.15 and 4.90 for fields of 
163 and 239 bits. 

For comparison, we recall that the runtimes given in [TO] for the original SST 
algorithm were 0.76s for a field of 163 bits and 2.54s for 239 bits on a 866 MHz 
Pentium III. 


8 Conclusion 

We presented a modification of the SST algorithm, using ideas taken from the 
AGM algorithm to speed-up the lifting phase and remove the second phase; the 
norm computation is unchanged. We did a precise theoretical and experimental 
comparison between our method and the AGM. We demonstrate that the number 
of operations is much smaller for the former. To illustrate this we implemented 
both methods with the same level of optimization - actually, they use the same 
time-critical functions. The gain is significant, even for small cryptographical 
field sizes. 

For cryptographical applications, it is required to have an almost prime group 
order. Therefore it is usually necessary to count 0(log(n)) curves before finding 
one suitable for cryptography. To speed-up this search, in 0 the authors propose 
to mix the p-adic point-counting method with an early-abort strategy a la Schoof. 
Indeed for a small prime £, it is possible to decide quickly whether the group 
order is divisible by l, and if so to switch to another curve without running 
the p-adic algorithm. The size of the largest i for which we do this depends on 
the relative costs of the point-counting algorithm and the early-abort. Since [3J, 
the cost of point-counting has been greatly reduced, and the number of l to 
consider must have diminished accordingly. Therefore it would be nice to also 
have new ideas in the early-abort stage to obtain another speed-up in the curve 
construction. 
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Abstract. This paper provides a new method for construction of the 
generating (or basis) matrices of the (t, n)-threshold visual secret sharing 
scheme ((I, n)-VSSS) for any n > 2 and 2 < t < n. We show that 
there exists a bijection between a set of generating matrices of the ( t , n )- 
VSSS and a set of homogeneous polynomials of degree n satisfying a 
certain property. We also show that the set of homogeneous polynomials 
is identified with a set of lattice points in a linear space of dimension 
n — t + 1 with explicitly expressed bases. These results yields a general 
formula of the generating matrices of the ( t , n)-VSSS. The formula is 
not only theoretically of interest but also enables us to obtain efficient 
generating matrices that have been unknown. 


1 Introduction 

The visual secret sharing scheme (VSSS) is a new paradigm of the secret sharing 
proposed by Naor and Shamir m Letting V = {1, 2, . . . , n} be a set of par- 
ticipants, in the VSSS a black-white secret image is encrypted to n black-white 
images called shares. The VSSS has a property that, while a qualified set of 
participants can reproduce a secret image only by stacking all of their shares, a 
forbidden subset of participants can obtain no information on the secret image 
from their shares. If every S C V with |h'| > 4 is qualified and every S C V with 
|S| < 4 — 1 is forbidden for some 2 < t < n, we call such a VSSS the (4,n)-VSSS, 
where |£| denotes the cardinality of S. 

In this paper we focus on the ( 4 , n)-VSSS. Literatures on the (t, n)-VSSS for 
black-white images can be classified into the following categories: 

1. Construction of the optimal (n.n)-VSSS: fTH . 

2. Construction of the optimal (t, n)-VSSS in a certain class: |5] (for 4 = 2), 0 
(for t = 3,4,5, n- 1). 

3. Developing algorithms to find a non-optimal (4, n)-VSSS without optimal- 
ity: 0,0. 

4. Giving examples of (4, n)-VSSS: 0, 0,PCl;!,tf33,[14 i . 

5. Introducing another notion of optimality: 0,H5! 

6. Formulating the problem of finding the optimal (4, n)-VSSS as a linear pro- 
gramming problem: 0, j%). jTT|. 

Y. Zheng (Ed.): ASIACRYPT 2002, LNCS 2501, pp. 328- E251 2002. 
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Here, the optimality of the ( t , n)-VSSS is usually defined in terms of the clearness 
of the reproduced secret image obtained by stacking arbitrary t shares. In the 
literature above, however, the most important and fascinating problem of finding 
the optimal ( t , n)-VSSS for arbitrary n > 2 and 2 < t < n still remains unsolved. 

The (t. n)-VSSS is realized by using a pair of matrices (Xq. Xi) called gen- 
erating matrices (though (V 0 , Vj) is sometimes called basis matrices, we use a 
different terminology in order to avoid confusion). In this paper we propose a 
simple method for obtaining pairs of generating matrices of the (t, n)-VSSS that 
is valid for all n > 2 and 2 < t < n. The polynomial representation of generating 
matrices, which was first proposed by m and was extended by |1 211 3] . gives a 
key to the method. We show that a pair of generating matrices in a certain class 
can be identified with a lattice point in a linear space of homogeneous polynomi- 
als of dimension n — t+1. More precisely, letting e[^ n , i = 0, 1, . . . , n — t, be the 
bases of the linear space, for each (/?o,/?i, • • • , 0 n -t) € B n - t + 1 , where B n - t +i is 
the collection of all (An Pi, • • - , P n -t) satisfying e Z for alii = 0, 1, . . . , n — t 
and £"=o Pi > 0, we can identify / = Yli = o e tn as a P a i r of generating matri- 
ces. In addition, if we apply a simple operation to such /, we can obtain more 
efficient pair of generating matrices each of which belongs to a class of matrices 
that is often treated. 

We can use the proposed method for obtaining suboptimal pairs of gener- 
ating matrices. The optimality can be defined in arbitrary sense, that is, we 
can maximize the relative difference PU or minimize the number of subpixels. 
We have only to consider a finite subset B' n _ t+1 C B n - t+ 1 and exhaustively 
search for a pair of generating matrices in B' n _ t+1 that is the most desirable. We 
checked that this search is realistic if n < 9 and found interesting examples of 
the ( t , n)-VSSS that have been unknown. 

This paper is organized as follows. In Section 2 we first define the ( t , n)-VSSS 
mathematically. Then, we introduce important classes of matrices called column- 
permuting matrices (CPMs) m and different permuting matrices (DPMs) m 
We explain several properties on concatenations of CPMs or DPMs. Section 3 
is devoted to description of main results of this paper. We first show that there 
exists a bijection from the pairs of matrices realizing the ( t , n)-VSSS to the set 
of homogeneous polynomials of degree n satisfying a certain property. We next 
show that for any n > 2 and 2 < t < n such homogeneous polynomials are 
regarded as lattice points of a linear space of dimension n — t+1. These results 
mean that, surprisingly, any one of such lattice points yields a pair of generating 
matrices of the (f , n)-VSSS. We also give suboptimal pairs of generating matrices 
of the (f, n)-VSSS obtained for all n < 9 that was found by computer search. 

2 Visual Secret Sharing Scheme 

2.1 Definition of the Visual Secret Sharing Scheme 

Let V = {1,2, ...,n} be a set of participants, where n > 2. Denote the set 
composed by all the subsets of V by 2 V . Given an n X m Boolean matrix X 
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and an S G 2 V , we define X[5] as the 151 x m matrix that is the restriction 
of X to the rows specified by S. The “or” of all the rows in X[S] is denoted 
by OR(X[S]). In addition, the Hamming weight of OR(X[5]) is denoted by 
h(OR(X[5])). Letting t be an arbitrary integer satisfying 2 < t < n, we define 
the (f, n)-threshold visual secret sharing scheme ((t, n)-VSSS for short) in the 
following way: 

Definition 1 (Naor and Shamir |l4j|b Let Cq andCi be collections ofnxm 
matrices. We say that a pair (Co,Ci) forms the ( t,n)-VSSS if (Co,Ci) satisfies 
both of the following two conditions: 

1. There exist constants d > 0 and a > 0 satisfying: 

(a) For any S £ 2 V with |S| = t, h(OR(X[S])) <d-am for all X £ C 0 . 

(b) For any S £ 2 V with |5| = t, h(OR(X[5])) > d for all X £ C x . 

2. For an S £ 2 V and i = 0, 1 define T>i[S\ as the collection of X[S], X G C, ; . 

Then, for any S G 2 V with |5| < t 2?o[5] and T> x [5] are indistinguishable in 

the sense that they contain the same matrices with the same frequencies. 

A secret image, which is assumed to be a black-white image, is encrypted 
into n images called shares in the following way. In fact, every pixel in a secret 
image is encrypted as m pixels called subpixels in each share. We first choose 
an element X £ Cq ( X £ Ci) randomly with uniform distribution if a pixel to 
be encrypted is white (black). Then, for i = 1,2, ... ,n we encrypt the pixel as 
the m subpixels specified by the i-th row of X. This encryption is repeated until 
all the pixels in a secret image are encrypted. We assume that the i-th share is 
distributed to the participant i for i = 1 , 2 , . . . , n. 

Condition l-(a) in Definition 0 guarantees that for any S £ 2 V with |5| = t a 
black-white secret image is reproduced only by stacking all of the shares specified 
by S. When we stack arbitrary t shares in an arbitrary order, we can perceive a 
gap of the Hamming weights more than am consisting in stacked m subpixels. 
That is, the m stacked subpixels corresponding to a white pixel in the secret 
image look brighter than the m stacked subpixels corresponding to a black pixel. 
Here, the parameter a is called the relative difference H3- In general, the greater 
a becomes, the clearer we can perceive the secret image. On the other hand, 
condition 2 in Definition [D means that no information on the secret image is 
revealed from the shares specified by S for any S £ 2 V with |5| < t — 1. In fact, 
if |5| < t — 1, the participants in S can obtain no information on the color of a 
pixel because both D 0 [5] and Vj [5] contain X [5] with the same frequencies. 

It is often that Co and C\ are constructed from all the permutations of rows 
of two matrices Xo and X\. We call such matrices the generating matrices. 
Though such matrices are sometimes called the basis matrices rather than the 
generating matrices gE|, we call (X {) . X- t ) a pair of generating matrices in this 
paper because we use the term “basis” for expressing a different, but an ordinary, 
notion. Throughout this paper we consider construction of the ( t , n)-VSSS using 
a pair of generating matrices. See nu for examples of generating matrices. 
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2.2 Polynomial Representation of Generator Matrices 


Hereafter, we consider the generating matrices that belong to a certain class. 
We define two classes of matrices called the column-permuting matrices (CPMs) 
ITU and the different permuting matrices (DPMs) fFQ . 

Consider a Boolean vector V = [vi,V 2 , . . . ,v n ] T with n components, where 
the superscript T denotes the transpose. We can obtain n! vectors from all the 
permutations (permitting multiplicity) of components of V. The n x n! matrix 
M n (y\,V 2 , ■ ■ ■ , v n ) containing all of such n! vectors as rows is called a column- 
permuting matrix (CPM) of order n }1 ()| . For the case of n = 3 and V = [0, 0, 1] T , 
M 3 (0,0, 1) can be expressed as 


M 3 (0,0,1) 


'00 10 10 ' 
000101 
110000 


(1) 


(In order to avoid confusion, readers may consider M 3 (y\, w 2 , v 3 ) with distinct 
vi,V 2 and v 3 and set v\ =0, t> 2 = 0 and v 3 = 1.) We regard two CPMs as 
identical if an adequate permutation of rows of one equals to the other. We 
represent the CPM obtained from a vector with k Vs and n — k 0’s as the 
monomial a n ~ k z k , where a and z are the symbols corresponding to 0 and 1, 
respectively. For example, M 3 (0,0,1) in JTJ is represented as d 2 z. 

Next, we consider concatenations of CPMs. Letting M n (ui . 112 , . . . ,u n ) and 
M n (v i,V 2 , ■ ■ ■ ,v n ) be two CPMs with Vi,Ui E {0,1} for all i = 1,2 , ...,n, 
we denote the concatenation of M n (u \ , u % , . . . , u n ) and M n (vi,v 2 , . . . , v n ) by 
M n (ui,U 2 , ■ ■ ■ ,u n ) © M n (v i,v 2 , ■ ■ ■ ,v n ). Here, we regard M n (ui,u 2 , . . . ,u n ) 0 
M n (vi,v 2 , • ■ ■ , v n ) as the n x (2n!) matrix containing all the permutations (per- 
mitting multiplicity) of two Boolean vectors [ui . u- 2 - ■■■■ u n ] T and [t’-i , t> 2 , . . . , v n ] T . 
We regard two concatenations of CPMs as identical if an adequate permuta- 
tion of rows of one equals the other. Letting [ui,u 2 , • ■ ■ ,u n ] T be a Boolean 
vector with k l’s and n — k 0’s and [v\,V 2 , ■ ■ ■ , v n ] T a Boolean vector with l 
l’s and n — l 0’s, we represent M n (ui, u 2 , . . . , u n ) 0 M n {v\, %,..., v n ) as the 
polynomial a n ~ k z k + a n ~ l z l . That is, the concatenation of matrices is repre- 
sented by using + in the polynomial representation. In particular, for the case 
of k = l we express a n ~ k z k + a n ~ k z k as 2 a n ~ k z k for short. Obviously, any 
concatenation of CPMs of order n is represented as a homogeneous polynomial 
of a and z of degree n. In addition, it is important to notice that two con- 
catenations of CPMs are identical if and only if the polynomial representation 
of one is equal to the other in the ordinary sense. For example, a concatena- 
tion of CPMs M 3 ( 0, 0, 0) 0 M 3 ( 0, 1, 1) 0 M 3 (0, 1, 1) 0 M 3 (l, 1, 1), which is rep- 
resented as a 3 + 2 az 2 + z 3 , is identical with another concatenation of CPMs 
M 3 (0, 1, 1) O M 3 (l, 1, 1) 0 M 3 (0, 1, 1) 0 M 3 ( 0,0, 0) that also has the polynomial 
representation az 2 + z 3 + az 2 + a 3 = a 3 + 2 az 2 + z 3 . 

It is important to notice that we can represent the operation in which we 
eliminate an arbitrary row from a CPM M n (vi , V 2 , . . . , v n ) as application of the 
partial differential operator ij . > = f g a + g z to the polynomial representation of 
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'o' 


'100' 

iV 3 (0,0,0) = 

0 

and N 3 (0,0,1) = 

0 10 


0 


00 1 


M n {v i, ® 2 ) ■ ■ • , v n ). For example, if we eliminate the the third row of M 3 ( 0, 0, 1) 
in 0, we have M 2 ( 0, 0) © M 2 ( 0, 1) 0 M 2 (0, 1). This operation is represented as 
ip(a 2 z) = a 2 + 2a z in the polynomial representation. The definition of the CPM 
guarantees that we can obtain the same matrix if we eliminate either the first 
row or the second row instead of the third row. In the same way, the operation 
eliminating j arbitrary rows from a CPM is represented as application of ip to 
its polynomial representation repeatedly for j times. The repeated application 
of ip for j times is denoted by ?/> 7 . It is obvious that the same property on the 
elimination of rows also holds for concatenations of CPMs. 

Next, we define the different permuting matrix (DPM). While f3fil!)| use 
different terminology for the same class of matrices, we follow the terminology 
given in E- Consider a Boolean vector V — [vi,t> 2 , . . . ,v n ] T . Suppose that 
V contains k l’s and n — k 0’s as its components. Then, we can obtain Q) 
different vectors from all the permutations of components of V. The n X ())) 
matrix containing all of such (£) vectors as rows is called a different permuting 
matrix (DPM) of order n and is denoted by N n (v i,w 2 , . . . ,v n ). For the case of 
n = 3, 1V 3 (0, 0, 0) and N 3 ( 0, 0, 1) are written as 


(2) 


It is important to notice that M 3 (0, 0, 1) in 0 satisfies M 3 (0, 0, 1) = N 3 (0, 0, 1)© 
N 3 (0,0,1) (recall that rows of M 3 (0,0,1) can be permuted adequately). More 
generally, for [tq, w 2 , . . . , v n ] T containing k l’s and n — k 0’s, it is easy to verify 
that M n (v i, v n ) is the concatenation of (n — k)\k\ N n (v i, %,..., v n )’ s. 

This motivates us to represent N n (v i, w 2 , . . . , v n ) as the monomial ^ n _ k y k , fEJ- 
In particular, for the cases of k = 0 and k = n we use the representations pj and 
fj, respectively. We also use + for denoting concatenation of DPMs. Then, it 
obviously follows that eliminating an arbitrary row from a DPM is represented 
as application of t/i = ^ + ■§£ to the monomial representation of the DPM. 
In fact, if we eliminate the third row from iV 3 (0,0, 1), which is represented as 
we have the concatenation of DPMs represented as V'(fm) = az + % f. In 
addition, eliminating j arbitrary rows from a DPM is represented as application 
of fy to its monomial representation. It is obvious that the same property on 
the elimination of rows holds for concatenations of DPMs. 

Now, we introduce the following four sets of homogeneous polynomials: 

H n = i a n ~ l z' 1 : 7 j £ Z for all j = 0, 1, . . . n|, (3) 

Hn = l ^ 7 id n ~ l z' t : 7 i £ Z and % > 0 for alii = 0, 1, . . . n >, (4) 

^ i=0 ' 

K. n = IVo y 8 " : 7 i £ Z for all * = 0,1,... nl , 

Is; J 


(5) 
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/C+ = / y 7* y— *(— : 7, G Z and 7, > 0 for alii = 0 . 1 , . . . n \ , (6) 

(n — i)\i\ J 

where Z denotes the set of all integers. Then, as summary, we have the following 
proposition. 

Proposition 1 . (a) Any concatenation of CPMs (DPMs) of order n is ex- 
pressed as an element in H + ( 7 C+). Conversely, any element in (K-t.) is 
interpreted as a concatenation of CPMs (DPMs) of order n. 

(b) Let X be any concatenation of CPMs (DPMs) with the polynomial repre- 
sentation f G %+ (f G K-n)- Then, for any 1 < j < n — 1 the polynomial 
representation of the matrix obtained by eliminating arbitrary j rows from 
X is given by ipi f . 

Then, we have the following theorem. While the primary version of Theo- 
remlU-(a) was given by Koga, Iwamoto and Yamamoto [IOj for the (t, n)-VSSS of 
color images, Kuwakado and Tanaka (Ej pointed out that Theorem HJ-(b) holds 
for the case of (t, n)-VSSS of black-white images. Proof of Theorem Q is given in 
Appendix E] for readers’ convenience. 

Theorem 1 . (a) Suppose that fo G and fi G satisfy 

r~ t+1 fo = r~ t+1 h (7) 

and 

ip n ~ t fo\z=o = Coaf , V’" _t /iU=o = C\af ( 8 ) 

for some nonnegative integers Co and C\ with Co > C\ . Define Xq and X\ 
as the concatenations of CPMs with the polynomial expressions fo and /1, 
respectively. Then, (Xo,Yi) becomes a pair of generating matrices of the 
( t,n)-VSSS . 

(b) Suppose that go G /C+ and g\ G /C+ satisfy 

ip n ~ t+1 go = ip n ~ t+1 gi ( 9 ) 

and ^ t 

^ n_t 5 oU=o = Co V’ n_t ffiU=o = ( 10 ) 

for some nonnegative integers Co and C\ with Co > C\ . Define Xq and X\ 
as the concatenations of DPMs with the polynomial expressions go and <37, 
respectively. Then, (Xo,Yi) becomes a pair of generating matrices of the 
{t,n)-VSSS. 

We conclude this section with introducing two more notions. First, we define 
the decomposition of an element in H n or KL n . If an / G H n is written as 
/ = /+ — /“, where /+ and f~ belong to U { 0 } and /+ and f~ contain 
no term in common, we call / = / + — f~ the decomposition of /. For example, 
if / = a 2 z — az 2 + z 3 G we have /+ = a 2 z + z 3 and f~ = az 2 . Note that 
the decomposition is unique and /+ (/“) equals zero if all the terms in / have 
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negative (positive) coefficients. The decomposition of g G IC n is defined in the 
same way. That is, if g = fr — fry) + 2fy G /C3, we have <? + = + 2|y and 

5“ = |yjj . Next, we define the norm of / G Suppose that / is expressed 
as / = Er=o7;a”~^ 1 - Then, the norm ||/|| of / is defined by ||/|| = E”=o M> 
where |'y i | denotes the absolute value of 7,; . Clearly, ||/|| > 0 for all / G H n and 
ll/ll = 0 if and only if / = 0. It is clear that for the matrix X with a polynomial 
expression / G %+, ||/|| means the number of CPMs contained in X. 

3 Main Results 

3.1 Characterization of the (t, n)-VSSS as a Vector Space 

Theorem CJ(a) guarantees that, if we can find fo G and f\ G satisfying 
m and ©, we obtain a pair of generating matrices (Xo,Xi) of the (f,n)-VSSS, 
where Xq and X\ are the concatenations of CPMs corresponding to fo and /1, 
respectively. However, Theorem [I] does not tell us at all how we can find such fo 
and /i- Since ij} n ~ t+1 and '0 n_ * are linear, the homogeneous polynomial f G T~L n 
defined by / = / 0 — /1 satisfies ip n ~ t+1 f = 0 and V’" _t /|z=o = Caf for some 
integer C > 0. This motivates us to define the following subsets of 'H n and K. n : 

Ft,n = {/ G H n : if n ~ t+1 f = 0 and ^ n_i /U=0 = Ca* for some integer C > 0}, 
Gt,n = {g G K n : %p n ~ t+1 g = 0 and 'tp n ~ t g\ z =o = for some integer C > 0}. 
We also define the sets of pairs of matrices by 

M t , n = {(X 0 ,Xi) : X 0 and satisfy all of (Afy, (Bi), (Cfy, (Di)} , 

N t , n = : ^0 and Jfy satisfy all of (A 2 ), (B 2 ), (Ci), (Dfy} , 

where conditions (Afy, (A 2 ), (Bi), (B 2 ), (Ci) and (Di) are given as follows: 

(Ai) both Xq and X\ are concatenations of CPMs, 

(A 2 ) both Xq and X± are concatenations of DPMs, 

(Bi) Xo and X\ contain no CPM in common, 

(B 2 ) Xo and X[ contain no DPM in common, 

(Ci) X 0 [S] = XifS 1 ] for any S G 2 V with |5| = t — 1, where the equality 
X 0 [S] = X-i [.S'] is interpreted in the sense that Ax [S'] coincides X 0 [S] by 
an adequate permutation of rows, 

(Di) ft(OR(X 0 [5])) < hiORiX^S])) for any S G 2 V with |S| = t, where h(-) 
denotes the Hamming weight. 

That is, Mt,n (Nt, n ) is the set of all the pairs of generating matrices obtained by 
concatenations of CPMs (DPMs) containing no CPM (DPM) in common. Then, 
we have the following theorem that is a stronger version of Theorem QJ 

Theorem 2. For any n > 2 and 2 < t < n, there exist bijections ip : Mt. n 
T t , n and a : — > Gt,n- 
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Proof. We only prove the existence of a bijection ip : Ai t ,n — t Ft.n below because 
the existence of cr : JJ ' t , n — t Gt,n can be proved in the same way. 

Suppose that ( Xo , Xf) £ A4t. n - Since Xq and X\ are assumed to be concate- 
nations of CPMs, Proposition Q] guarantees that there exist unique /o £ and 
/i £ corresponding to Xq and Xi, respectively. In addition, we note that 
the converse of Theorem 0 is also true. That is, such f 0 and /i satisfy © and 
©. We define / by / = /o — /i- Clearly, / belongs to T~L n and satisfies 

^n-t+if _ o and ^ n - t f \ z=0 = (C 1 -C 2 )a t (11) 

due to the hnearity of ip n ~ t+1 and Since C\ > from Definition Q and 

the definitions of /o, /i and /, (fTTll guarantees that f £ T t ,n- We define ip as the 
mapping that maps a pair (X 0 ,Xi) £ M t . n to / = fo — fi £ Tt.n, where /o and 
fi are the polynomial representations of Xq and X-\ , respectively. 

First, we prove that ip is one-to-one. Assume that (X 0 , Xi) £ M t . n and 
(X 0 ,Xi) £ M t ,„ satisfy i P (X 0 ,X 1 ) = ip(X 0 ,_X fy. Let and fy be the 

polynomial expressions of Xq,Xx,Xq and X x , respectively. Note that, since 
(XqjXx) £ M t , n , fo and f\ contain no term in common due to the definition of 
Mt, n ■ Similarly, fo and f\ contain no term in common as well. It is important 
to notice that ip(X 0 ,Xi) = <p(X 0 ,X i) means that fo~ fi = fo~ fi, i.e., 


fo- fo- fi- h- (12) 

Now, define h by h = fo — fo. Clearly, h £ T~L n because both f 0 and fo belong 
to 'H n . Denoting the decomposition of h by h = h + — fi . ( fl2ll leads to 


Uo + h = fo + h + , 

\fi + h- = fi + h+. 


(13) 


Since h + and h~ contain no term in common due to the definition of the decom- 
position, means that both fo and f\ contain h + in common. This implies 
that h + = 0 because fo and fi contain no term in common by assumption. 
Similarly, we obtain h~ = 0, and therefore, we have h = 0. By combining h = 0 
with (IT2I . we have /o — /i = /o — /l, he., (JA 0 , X{) = (X 0 , Xi), which shows that 
tp is one-to-one. 

Next, we prove that (p is onto. To this end, fix an / £ Tt, n arbitrarily. Then, 
it holds that if n ~ t+1 f = 0 and -0"~ t /| z =o = Cof for some integer C > 0. Letting 
f = f + — f~ be the decomposition of /, it follows that ip n ~ t+1 f + = ip n ~ t+1 f~ 
and 

V’" -t /U =0 = - '*T“7 _ U=o = Caf (14) 

owing to the linearity of xp n ~ t+1 and In addition, since f + and f~ belong 
to U {0}, there exist integers Co > 0 and Ci > 0 such that tp n ~ t f + 1 2=0 = 
Coaf and ip n ~ t f~\ z =o = C\af. In view of (TUP . Co and Ci satisfy Co = C\ + 
C > Ci. Therefore, by virtue of Theorem [D(a), the pair of matrices (X 0 . Xj) 
corresponding to (f + ,f~) satisfies (Xq,^) £ A4 t) „. □ 
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Since Theorem |2] guarantees the existence of a bijection ip : A4 t , n — > ^t,ni 
we can know more about Mt, n by developing properties of Tt, n - The following 
lemma characterizes a key property of a set including PFt, n - 

Lemma 1. Define 

£t,n = {fen n : r~ t+1 f = 0} , (15) 

where 

Un = : 7 i G r| 

and R denotes the set of all real numbers. Then, £ t , n is a linear space of dimen- 
sion n — t+1 with bases 

e t?n = a n -^z\a — z )* , i = 0, 1, . . . , n — f. (16) 

Proof. Clearly, the linearity of ip n ~ t + l implies that £ t , n is a linear space. We 
prove both dim £ t . n > n—t+1 and dim £ t . n < n — t + 1, where dim £ t>n denotes 
the dimension of £t. n - We can see that 0 < i < n — t, form bases of £ t . n 
from the proof below. 

First, we prove dimf^ > n — t+1. We use the formula similar to the Leibniz 
formula 

^(/5) = E(^(^7)(^5) (17) 

j = o '■'/ 

for all k > 1 and infinitely differentiable / and g, which can be easily proved by 
induction on k. Letting i an arbitrary integer with 0 < i < n — t, it follows from 
(EJ that 

r- t+1 efl = r ~ t+1 (a n ~ t ~ i z i (a - *)*) 

n-t -\- 1 / , i \ 

= E (" A ) (#(o - zf) . (18) 

4=0 \ J / 

By noticing that ipi (a — z) f = 0 for all j > i, m leads to 

V)] ( a - z)* = 0 (19) 

where the last equality in © follows because tp n t+1 f = 0 for any / G 7 Zj. with 
k < n — t+1. Hence, we have ip n ~ t+1 e^l l = 0 for all* = 0, 1, . . . , n — t. 

We can verify that e|7, 0 < i < n—t, are linearly independent in the following 
way. Assume that there exist real numbers do , /3 w -t satisfying 


E^ e S = 0 - 


(20) 
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We notice that the greatest degree with respect to a on the left-hand side of 
(H9 is at most n and a term including a n appears only in e[°^. This means that 
Po = 0. By repeating this argument, we have Po = Pi = ■■ ■ = Pn-t = 0. Hence, 
it turns out that e^ n , 0 < i < n — t, are linearly independent. Consequently, we 
have established that dim £ t n > n — t + 1. 

Next, we prove dim £ t<n < n — t + 1. We prove that any / G £ t . n can be 
expressed as a linear combination of , 0 < i < n — t. To this end, fix 

/ = ^ 7 ia n ~ l z l G £ t , n (21) 

i= 0 

arbitrarily, where 7 j G R for all i = 0,l, — t. Then, since among the bases 
e^ n , 0 < i < n — t, the term including a n is contained only in e|° r | and the 
coefficient of such a term in e[°l is equal to 1, / can be written as 

f = - 7o4°n^ ■ (22) 

Notice that the greatest degree with respect to a of the second term in (1221) is 
at most n — 1. That is, we can rewrite II22H in the following form: 

/ = 7o e q« + ^ l[a n ~ l z\ (23) 

where 74, 1 < i < n, are constants determined from 7*, 1 < i < n — t, and e^l- 
By repeating this argument, we next have 

/ = 7oe^ + 7 (24) 

i = 2 

and finally have 

f = Y,rA%+g> (25) 

»= 0 

where 7*, 0 < i < n — t, are constants, g = z n ~ t+1 h and h G TZt-i- Here, we use 
the following lemma that is proved in Appendix 0 

Lemma 2. Let l be an arbitrary integer satisfying 0 < l < n. If g G lZ n can be 
written as g = z l h for some h G TZ n -i and satisfies if l g = 0, then g = 0. 

Since it holds that tjj n ^ t+1 f = 0 and ip n ^ t+1 e^ n = 0 for all i = 0, 1, . . . , n — t, 
(i2.^ implies that if n ~ t+1 g = 0. By applying Lemma 0 to g in (12 oil , we have 
g = 0. This completes the proof of dim £ t n < n — t + 1. □ 

Now, we are ready to give the following theorem that characterizes Tt, n as 
lattice points. 


338 Hiroki Koga 


Theorem 3. For any n> 2 and 2 < t < n, it holds that 

T t , n = | ]T fteg, : A G Z for all * = 0, 1, . . . ,n — t and E A > ( 26 ) 

^ 2=0 2=0 ' 

Proof. We use the fact that e^ n , 0 < i < n — t, satisfy tp n ~ t e^ l = (n — t)!(a — zf 
and therefore 

ip™-* e t%\z=o = (n — t)\ of for alii = 0, 1, . . . ,n — t, (27) 

which can be easily verified similarly to the method that develops i p n ~ t+1 e^f > n = 0 
in m and (ITU . Let C t ,n denote the set on the right-hand side of (Oil . We prove 
Theorem 0 by developing both F t . n C C tn and C t ,n C tF t ,n- Since F t ,n C <fy„, 
an arbitrary / £ F t , n can be expressed as 

f=J2^l + g (28) 

2=0 

by using the same method that yields <E3, where g = z n t+1 h and h £ IZt-i- 
If we apply Lemma |2| to g in (1281) , we have g = 0. In addition, it is important 
to notice that fa £ Z for all i = 0, 1, . . . , n — t because no division is included in 
the method. By applying to both sides of (EHt and set 2 = 0, we have 

i> n ^f\z=o = (n — £)! j^E A j of (29) 

from (E7I . Since f £ T t ,n satisfies V’ n- */U=o = Coif for some integer C > 0, fETTI 
implies that Y^=o Pi > 0- This establishes F t .n C Ct.n- 

Proof of C t , n £ F t .n is easy. Fix an f £ C t ,n arbitrarily. Since f £ C t ,n, 
f is expressed as / = J2i=o Pi e t\ii where A £ Z for all i = 0. 1 , n — t and 
Sr=o Pi > T Then, it immediately follows from Lemma[IJ (1271 and the linearity 
of tp n ~ t + l and if n ~ t that 

r~ t+1 f = E A(r~ t+ MJ) = E a • ° = o, (30) 

i= 0 *=0 

t/> n_t /U= o = E A(^ n_i etJ)U=o = (n - 1)\ a*, (31) 

which shows that / £ F t ,n because ^"=o* A > 0 by assumption. □ 

Now, define 


B k = \{p 0 ,fa,...,p k - 1 )£Z k 


k-i . 

i=o J 


(32) 
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for k > 1. Then, Theorem 0 tells us that each (0 o ,f3i , .... 0 n -t) € B n _ t+ i 
gives an element of / G Tt,n- Since Theorem |3 guarantees that there exists a 
bijection <p : Mt,n such that / G Tt, n yields a pair of generating matrices 

y _1 (/) = (Vq, Vj.) G M. t , n ■ The following corollary describes properties of such 
a pair of generating matrices. 

Corollary 1. Let (do , di , /?„_*) € Bn-t+ 1 be arbitrarily given. Let (Vo, Vi) G 
A4t,n be the pair of generating matrices corresponding to f = Y^=o Pi e t% e Ft.n- 
Then, the relative difference a of (X o,Vi) is given by 

a = 2 f> j [Qll/ll], (33) 

where ||/|| denotes the norm of f. In addition, the number of rows in Vo (or 
X\) is equal to ||/|| • n!/2. 

Proof. Recall that b>"~*/U=o i s given by (FTTll for any / = € Ft,n- 

Equation (ED means that the relative difference of the pair of generating matrices 
tp~ 1 (f) = (V 0 , Vi) is caused by (n — #)! A) CPMs each of which is 

represented as a*. Since the CPM represented as a* contains f! 0’s, the number 
of subpixels yielding relative difference is equal to W = (n — t)\t\ Y17=o A- 

Next, we evaluate the number of rows contained in V 0 or X±. Recall that, 
letting / = /+ — /“ be the decomposition of /, Vo and X- t have the polynomial 
representations f + and /“, respectively. Clearly, we have ||/|| = ||/ + || + ||/ _ ||- 
In addition, since / = J2i=o and C(^J a=z= i = 0 for alH = 0, 1, . . . , n — t, 

setting a = z = 1 in / = /+ — /“ leads to ||/ + || = ||/ - ||. Hence, it holds 
that ||/ + || = 1 1 /“| | = 1 1 /| |/2. Since both V 0 and Vi are concatenations of 
ll/ + ll = ll/ _ ll CPMs each of which has n! rows, the number of rows M of V 0 
and X\ turns out to satisfy M = ||/|| ■ n\/ 2. Then, the claim of the corollary is 
immediate because a = W/M. □ 

We have developed a method which enables us to construct a pair of generat- 
ing matrix (Vo, Vi) G M.t,n from an / G Tt. n - In fact, letting / be an arbitrary 
element of Tt, n and / = /+ — f~ the decomposition of /, V 0 and Vi are concate- 
nations of CPMs with the polynomial representations f + and /“, respectively. 
However, Corollary [0 tells us that the number of rows of such Vo and X\ can 
be large because they have ||/|| • n\/ 2 rows. 

However, we can also develop a method for finding a pair of generating ma- 
trices with less number of rows. We make use of the fact that any CPM can be 
written as a concatenation of DPMs. To this end, we define 

Gin = eGt ’ n : gcd ^ 7i : i = 0 ’ 1 ’-"’ n -0 = i}’ (34) 

where gcdjqj : < = 0,1,..., n — t} denotes the greatest common divisor > 1. In 
order to reduce the number of rows, we use the mapping n : Pt,n Gf n given 
in the following proposition. 
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Proposition 2. For any n > 2 and 2 < t < n there exists a surjection it : 

T t , n -► Gin- 

Proof. We define n in the following way. Let / = Y7i=o 7 ia n ~ l z % be an arbitrary 
element in Ft,n- Since for each i = 0,1,..., n the CPM with the monomial 
representation a n ~ z z l is concatenation of (n — i)\i\ DPMs with the monomial 
representation , / can be written as 


f = ° (35) 

i=0 ' '' ' 

Define G by G = gcd{ 7 j(n — i)\i\ : i = 0, 1, . . . , n — t}. Then, we can define 
7r : •Pt,n — > Gl„ as 7T : / i-t Y7h=q • It is easy that this 7r is 

surjective. □ 

We call the operation converting / G Tj.n, into 7 r(/) G Q* t rl the contraction. 
Notice that TheoremH-fb) guarantees that (Vo, hi) = f a -1 (n(Jj) becomes a pair 
of generating matrices of the ( t , n)-VSSS. Obviously, while the relative difference 
caused by (Y 0 , Yj ) is the same as that of (X 0 , Xf), the number of rows of Y x 
becomes 1/G times as X t for i = 0, 1. Summarizing, we have the following 
theorem giving a general formula of the (f, n)-VSSS: 

Theorem 4. Let n > 2 and 2 < t < n be arbitrary integers. Then, for each 
(/3o)/?i, • • • i/3 n -t) G Bn-t+i, f = Ya=o 0i e t% leads to a pair of the generating 
matrices (Yo, Yi) = a~ 1 ( / ir(f)) £J\ft,n- The relative difference a and the number 
of rows M of such a (Y 0 , Y x ) given by and M = ||/||-n!/(2G), respectively, 
where, letting f = J27= o Tia n ~ %zl denote the expansion of f, G is defined by 
G = gcd{ 7 j(n — i)\i\ : i = 0, 1, . . . , n}. 

Example 1. We construct a pair of generating matrices (Yq, Y x ) for the (3,4)- 
VSSS by using Theorem 0 Theorem 0 tells us that for each (/3 0 , 0j ) G B 2 f = 
P 0 a(a - z) 3 + j3 x z{a - z) 3 yields (To,! 7 !) G W 3 , 4 . If we set (P 0 ,Pi) = (1, 1), it 
easily follows that 


f = a(a-z) 3 
= o 4 - 2a 3 » 


+ z(a — z) 3 
+ 2 az 3 — z 


4! 3!1! 1!3! 


(36) 


which means that g = f 7 r(/) = 2'j^ — ^ — 2^-. Since the decomposition 

of g is given by g + = 2 ^ + and g~ = f + 2 z 4l , the concatenations of 
DPMs corresponding to g + and g~ become Yq and Y x respectively. By using 
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PropositionQJ-(a) we obtain 


'000 1 1 1 ' 
001011 
001101 
001110 


1 1 1 0 00 ' 
110100 
110010 
110001 


This pair of generating matrices, which yields a = 1/6, coincides with the pair 
of generating matrices of the (3, n)-VSSS given by Naor and Shamir [EE] with 
n = 4. Recall that (Yq. Yj) is heuristically constructed in [J3] . □ 


Notice that the converse of Theorem 0]is also true. That is, we can show that 
for any (Y 0 , Yi) G Nt, n there exists an / G Tt,n satisfying (Yo, Yi) = cr -1 (7r(/)). 
This property is due to the fact that n : T t ,n — ► Q* n surjective and there exists 
a surjection tt : Gt,n Gt, n which is defined similarly to 7r in Proposition 0 


3.2 Construction of Suboptimal (£, n)-VSSS Using the Formula 

In this subsection we consider construction of an optimal ( t , n)-VSSS by using 
Theorem^ We consider the following two kinds of criteria for optimization: (A) 
maximization of the relative difference a, and (B) minimization of the number of 
rows M. If there exist more than one pair of generating matrices with maximum 
a under (A), we choose the pair with the smallest M. On the other hand, if 
there exist more than one pair of generating matrices with minimum M under 
(B), we choose the pair of with the greatest a. 

How can we find the optimal (V 0 , Vx) G Mt, n by using Theorem 0 un- 
der criteria (A) or (B)? Unfortunately, it is quite difficult to find the optimal 
(Vo,Vi) theoretically because the formulas of a and M given in Theorem 0] 
include ||/|| or G. However, we can use Theorem @]in the following way for 
finding a suboptimal pair of generating matrices of ( t , n)-VSSS. We first choose 
a subset B' n _ t+1 C B n - t +i with a finite number of elements adequately. Next, 
for each (P 0 , p x , . . . , P n - t ) G B' n _ t+1 we expand f = Pi e t J n to the form 

/ = J^r=o 7 ia n ~ l z l and compute G = gcd{ 7 j(n — *)!*! : i = 0,1,..., n}. Since 
Theorem 0 tells us that both M and a are determined from / and G, recall- 
ing that \B’ n _ t+1 \ < oo, we can find (/3 0 ,/3i, . . . ,/3 n ~t) G B' n _ t+X that leads to 
(V 0 , Vi) G Aft,n optimal in B' n _ t+1 . Though we mention only (A) and (B) as cri- 
teria of optimization here, such a search is possible under another criterion given 
in IZH5J. In addition, notice that, since B n -t+i is a countably infinite set, we 
can choose B' n _ t+1 such that the suboptimal (V 0 , Yi) becomes globally optimal 
as \B' n _ t+l \ oo. 

In our computer search, we defined B' n _ t+1 as the collection of all (Bq , B\, ... . 
fi n -t) G z n ~ t+1 satisfying /3, > 0 for all i= 0, 1,..., n—t, gcd{/?o, Pi, ■ ■ ■ , Pn-t} = 1 
and JZ’/Tq pi < 120. For each n < 9 and 2 < t < n — lwe exhaustively searched 
for (do, Pi,..., Pn-t) G B' n _ t+1 that yields (V 0 , Yi) G N t . n with the optimality in 
B' n _ t+ 1 under the two respective criteria. Clearly, time required for this search 
becomes long as n — t + 1 increases. However, for small n such as 9 this search 
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Table 1. Suboptimal (t, n)-VSSS in for 3 < n < 9 under (A) 


(t,n) 

M 

a 

mu 

(5,7) 

48 

3s 

{2,3,2} 

(6,7) 

70 

70 

{3, 4}, {4, 3} 

(2,8) 

70 

| 

{1,2,3,4,3,2,1} 

(3,8) 

42 

n 

{1,3, 4, 4, 3,1} 

(4,8) 

160 

80 

{9,20,26,20,9} 

(5,8) 

112 

h 

{2, 5, 5, 2} 

(6,8) 

198 

T 

{15,26,15} 

(7,8) 

140 


{1,1} 

(2,9) 

126 

ik 

{4,8, 12,16,20, 15,10,5}, 
{5,10, 15,20, 16, 12,8,4} 

(3,9) 

56 

h 

{5,15,21,23,21,15,5} 

(4,9) 

630 

h 

{3, 7, 10, 10, 7, 3} 

(5,9) 

8064 

13 

896 

{11,29,37,29,11} 

(6,9) 

1764 

137 

{19,39,37, 17} 

(7,9) 

252 

2§2 

{1,2,1} 

(8,9) 

315 

3l5 

{4, 5}, {5, 4} 


(2,3) 

3 

3 

{1,2}, {2,1} 

(2,4) 

6 

i 

{1,2,1} 

(3,4) 

6 

6 

{1,1} 

(2,5) 

10 


{2, 4, 6, 3}, 

{3, 6, 4, 2} 

(3,5) 

8 


{3,4,3} 

(4,5) 

15 

T 

{2, 3}, {3, 2} 

(2,6) 

20 

_3_ 

{1,2, 3, 2, 1} 

(3,6) 

10 

10 

{2, 3, 3, 2} 

(4,6) 

36 

T 

{4,7,4} 

(5,6) 

30 

30 

{1,1} 

(2,7) 

35 

T 

{3,6,9, 12,8,4}, 
{4,8, 12,9,6,3} 

(3,7) 

30 

10 

{3,9,11,9,3} 

(4,7) 

70 


{15,32,38,20}, 

{20,38,32,15} 


was completed in realistic time (at most several days) when we used a personal 
computer with a Pentium III 1.0GHz processor. 

Table 1 shows M and a of generation matrices of (t, n)-VSSS that is optimal 
in B' n _ t+1 under criterion (A). While j3| discusses the optimality on a for t = 
3, 4, 5, n — 1 from a combinatoric viewpoint under (A), their approach cannot be 
applied to the cases of6<t<n— 2. We found pairs of generating matrices 
of (6,8)-, (6,9)- and (7,9)-VSSSs with the optimality (A) in B' n _ t+1 . For each 
2 < n < 9 and 2 < t < 4, a in Table 1 attains the theoretical upper bound given 
in jH| from linear programming approach (for t > 5 no upper bound is given 
in 0). In addition, for each 2 < n < 9 and 2 < t < 5 a in Table 1 is greater 
than or equal to a in 0 except for the case of (5, 7)-VSSS (for t > 6 a is not 
written in 0). The pair of generating matrices of the (5, 7)-VSSS in yielding 
a = 4/147, may not belong to Af t ,n because we cannot find such a pair even 
from a larger set {(0o,0i,lh) £Z 3 : /3 0 + Pi + /?2 > 0, |/3*| < 1000 for i=0,l,2}. 
Furthermore, a pair of generating matrices of the (4, 7)-VSSS, which is written 
as g = 15 — 4“ 0 — 6 °f 6 , + 20 f,, in the polynomial expression and was 

first reported in |E|, was turned out to be optimal in B' n _ t+1 (the method for 
finding such g is not written in HE)- Clearly, this pair of generating matrices, 
yielding a = 3/70 and M = 70, is better than the pair given by 0 with a = 3/80 
and M = 160. 

On the other hand, if n < 9, under (B) we found pairs of generating matrices 
(F 0 ,Fi) with the same number of rows as the pairs given by Droste |S| except 
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for the case of (6,8)-VSSS. While Droste 0 mentions the existence of (Y () , Yj ) 
with M = 128 and a = 1/128, we found (Yb,Yi) with M = 126 and a = 1/126 
(choose (0o,0i,02) = (5,14,9) or (9,14,5)). In addition, for the case of n = 10, 
we found a pair of generating matrices of the (8, 10)-VSSS with M = 590 and 
a = 1/590 (choose {0o,0i,02) = (14,22,9)), though Droste 0 just mentions the 
existence of (Yq, Yl) with M = 640 and a = 1/640. 

It is also interesting to find a (0o, 0i, ■ ■ ■ , 0n-t) G B n -t+ i that lead to a simple 
pair of generating matrices (Y 0 , Yj) G M t . n - We conclude the paper by giving such 
a (Y 0 , Yj) expressed in the polynomial representation for t = n, n —1,2 

(i) (n, n)-VSSS 

Theorem 0 tells us that elements of T n ., n can be written as / = do (a — z) n , 
where do is a positive integer. Then, it easily follows that 


Hence, we have 7 r(/) = (— 1 ) * ' s independent of do- This is a 

pair of generating matrices with a = 1/2" given by Naor and Shamir ^3] ■ 

(ii) (n — l,n)-VSSS 

Theorem 0 guarantees that / G T n -i ,n can be expressed as / = do a (a — 
z) n ~ 1 + 0i z(a — z)" _1 , where (0o,0i) G B 2 . We set 0o = 0i = 1 for even n and 
0 O — [f J and 0i — [ ||| for odd n. Then, n(f) can be expressed as 

[E(-l)‘(!-i)//Zp. if n is even, 
vr(/) = 1 \ , 

lD-F(^-i)^.ifniso dd , 


which leads to the pair of generating matrices with M = f („" 2 -i) an d a = 

l/[f (n/ 2 -l)] ^° r even n an< ^ M = n ((n-^V2) an< ^ a = 4 /t n ((n-^)/ 2)] ^ 0r odd n. 
These pairs of generating matrices are given by Blundo et al 0. 

(iii) (2, n)-VSSS 

By Theorem 0 / G T2, n can be written as / = Yh=o 0i a - n ~ 2 ~ % z t ( a — z) 2 , 
where ( 0o,0i , ■ ■ ■ ,0 n - 2 ) G B n - If we set 0 t = n— 1 — i for all i = 0, 1, . . . ,n — 2, 
we have 


7r(/) = (n-l)J 


a n 1 z z n 
(n — 1)!1! + 


which leads to the pair of generating matrices given by Naor and Shamir 
with M = n and a = 1/n. On the other hand, for the case of even n if we set 
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/3i = i + 1 for i = 0, 1, . . 
we have 


»</>- o 


i — 1 for i = ft, || + 1, . . . , n — 2, 


(n/2)!(n/2)l 


The pair of generating matrices corresponding to / above satisfies M = ( n " 2 ) 
and a = 


Appendix 

A Proof of Theorem 1 

We prove Theorem [B ( a) here because Theorem ©(b) can be developed similarly. 
Let Xq and X- t be concatenations of CPMs with the polynomial representations 
/o and fi, respectively. By the assumption of the theorem, f 0 and /i satisfy © 
and ©. In view of Definition [0 and the definition of the generating matrices, it 
is sufficient to prove that (i) X 0 [S] = X- t [S'] for any S £ 2 V with \S\ =t— 1, and 
(ii) h{OR(X 0 [S])) < /i(OR(X![ 5])) for any Se 2 V with |S| = t. 

The proof of property (i) is simple. Since Proposition [I] tells us that for 
i = 0, 1 application of t(j n ^ t + 1 to fi means elimination of arbitrary n — t + 1 rows 
from A', . © implies that X 0 [S] = X-[ [S’] for any S 6 2 r with |5| = t — 1. This 
establishes property (i). On the other hand, we notice that if n ~ t fi\ z =o means the 
number of the CPMs represented as af in OR(A i [<S’]) for any S G 2 V with \S\ =t. 
Then, © implies that OR(Ao[5]) contains the CPMs represented as a* more 
than OR(X![5]), which immediately leads to h(OR(X 0 [S])) < /i(OR(A 1 [S’])). 
This establishes property (ii). 


B Proof of Lemma 2 

We prove Lemma Elby induction on l. The claim of the lemma is trivial if l = 0. 
Let l > 1 be an arbitrary integer and suppose that an arbitrary g G 1Z n with 
g = z l h for some h £ 1Z n -i satisfies tp l g = 0. Since 

if l g = 

= ({lh + z • , (B.l) 

we have 

lh + z- (#,) = 0 (B.2) 

by induction hypothesis. Setting 

h = 70 a n ~ l + 71 a n ~ l ~ 1 z H 1- 7 n _iz n ~ l , 

(E2D leads to 

l^ Q a n ~ l + [(n-l)^o+2^x]a n ~ l ~ 1 z-\ \-[') n -i- 1 +(n-l+V)') n -i]z n ~ l = 0, (B.3) 

which mean that Z70 = (n — l ) 70 + 271 = • • • = 7„_;_i + (n — l + l)7 n -z = 0 and 
therefore 70 = 7i = • ■ • = 7 n -i = 0. 
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Abstract. A Key Distribution Center enables secure communications 
among groups of users in a network by providing common keys that can 
be used with a symmetric encryption algorithm to encrypt and decrypt 
messages the users wish to send to each other. A Distributed Key Dis- 
tribution Center is a set of servers of a network that jointly realize a 
Key Distribution Center. In this paper we propose an unconditionally 
secure scheme to set up a robust Distributed Key Distribution Center. 
Such a distributed center keeps working even if some minority of the 
servers malfunction or misbehave under the control of a mobile adver- 
sary. Our scheme for a distributed key distribution center is constructed 
using unconditionally secure proactive verifiable secret sharing schemes. 
We review the unconditionally secure verifiable secret sharing scheme 
described by Stinson and Wei, discuss a problem with the proactive ver- 
sion of that scheme, and present a modified version which is proactively 
secure. 


1 Introduction 

A group of users of a network, referred to as a “conference” , in order to securely 
communicate over public channels, could decide to use symmetric encryption 
algorithms, e.g., RC6 or AES. These algorithms are fast and presumed to be 
secure. But to apply this strategy, they need a common key with which to encrypt 
and to decrypt the messages they wish to send to each other. This basic problem 
is well-known in the literature and it is called the Key Establishment Problem. 

A common solution to the Key Establishment Problem is to use a Key Dis- 
tribution Center (KDC, for short), in which a server is responsible for the dis- 
tribution and management of the secret keys. The idea is the following: Each 
user shares a common key with the center. When he wants to securely commu- 
nicate with a subset of other users, he sends a request for a conference key. The 
center checks for membership of the user in that conference, and generates and 
distributes the conference key in encrypted form to each member of the group. 
Needham and Schroeder [13] initiated this approach, implemented most notably 

Y. Zheng (Ed.): ASIACRYPT 2002, LNCS 2501, pp. 346- 13631 2002. 
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in the Kerberos System HU- Kerberos was formally defined and studied in 0. 
where it is referred to as the three-party model. 

The scheme implemented by the Key Distribution Center is called a Key 
Distribution Scheme (KDS, for short). The scheme is said to be unconditionally 
secure if it is secure independent of the computational resources of the adversary. 
Several kinds of Key Distribution Schemes have been considered in the literature: 
Key Pre-Distribution Schemes (KPS, for short), Key Agreement Schemes (KAS, 
for short) and Broadcast Encryption Schemes (BES, for short) among others. 
The reader can consult m for a survey on unconditionally secure schemes, 
[II bll 1 j for a general and detailed description of a variety of protocols for the Key 
Establishment Problem and related issues, and 0 for a simple introduction. 

Our attention in this paper focuses on a model which remedies some potential 
weaknesses introduced by using a single KDC. Indeed, the main drawback of a 
single KDC is that it must be trusted. Potentially, it could eavesdrop on all the 
communications. Moreover, the center can be a “bottleneck” for the performance 
of the network and, if it crashes, secure communication cannot be supported 
anymore. Last but not least, even if the KDC is honest and everything works 
fine, the KDC still represents an attractive target to the adversary because the 
overall system security is lost if the KDC is compromised. 

In order to solve the above problems, a new approach to key distribution was 
introduced in ca-A Distributed Key Distribution Center (DKDC, for short) is a 
set of n servers of a network that jointly realize the function of a Key Distribution 
Center. A user who needs to participate in a conference sends a key-request to 
a subset of his own choosing of the n servers, and the contacted servers answer 
with some information enabling the user to compute the conference key. In such a 
model, a single server by itself does not know the secret keys, since they are shared 
between the n servers. Moreover, if some server crashes, secure communication 
can still be supported by the other servers and, since each user can contact 
a different subset of servers, the slow-down factor for the performance of the 
applications introduced by a single KDC can be improved. 

In subsequent papers ffil'/frlj . the notion of DKDC has been studied from 
an information theoretic point of view. Therein, the authors showed that the 
protocol proposed in H2j, based on bivariate polynomials, is optimal with respect 
to the amount of information needed to set up and manage the system. 

In this paper we show how to set up a Robust DKDC. Namely, we describe 
a protocol where each server can verify that the information it stores and uses 
to answer the user’s key-request messages is consistent with the information 
stored by the other servers; at the same time, the users are guaranteed that 
they can compute the same key for a given conference in which they belong 
to. Moreover, time is divided in periods, and at the beginning of each period 
the servers are involved in an update procedure that “refreshes” the private 
information they store while the conference keys they provide stay the same. 
This property is referred to as proactive security. Notice that, in ns, a simple 
solution was outlined, which could have been applied to the basic polynomial 
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construction they proposed in order to achieve the above properties. However, 
as we show here, that solution does not work. 

The design of our DKDC is based on unconditionally secure proactive ver- 
ifiable secret sharing. In Section 5 we show that some existing schemes j2TH5) 
contain flaws. Then, we describe two techniques to modify these schemes in order 
to realize the proactive security property. We point out that the same ideas can 
be used to provide the proactive security property even to the verifiable secret 
sharing schemes given in |Sj . 

2 The Model 

Let U = {Ui, . . . , U m } be a set of m users and let S = {Si, . . . , S„} be a set 
of n servers. Each user has secure channels connecting him or her to all the 
servers. Each pair of servers is connected by a secure channel and all of them 
share a broadcast channel and a global clock (i.e., the system is synchronous). 
Servers can be good (i.e., they honestly execute the protocol) or bad (i.e., they 
are controlled by an adversary and can deviate from the protocol in arbitrary 
ways) but a majority of good servers is always present across the system. Let C 
be the set of conferences, i.e., the set of groups of users which want to securely 
communicate, and let Q be the set of tolerated coalitions, i.e., the set of coalitions 
of users who can try to break the scheme in some way. For example, C could be 
the set of all subsets of users of size p while Q could be the set of all subsets 
of users of size q. A verifiable distributed key distribution scheme is divided in 
three phases: an initialization phase, which involves only the servers; a key- 
request phase, in which users ask servers for keys; and a key- computation phase, 
in which users construct keys from the messages they received from the servers 
who were contacted during the key-request phase. 

Initialization Phase. We assume that the initialization phase is performed by a 
joint computation of all the servers. Each of them, using a private source of ran- 
domness, t \, generates some messages that it securely sends to the others. More 
precisely, for i = 1 , ,n, Si sends to Sj some message jij, for each j = 1 , ... ,n. 
At the end of the distribution phase, for i = 1, . . . , n, each server Si verifies the 
information received, sends messages along the broadcast channel and, eventu- 
ally, computes and stores some secret information cq = /( jij, . . . , 7 n ,i), where 
/ is a publicly known function. Moreover, each server constructs a list £ of the 
good servers present across the network at the end of this phase (the lists held 
by the good servers will all contain the same identifiers). 

Key-Request Phase. Let Ch € C be a conference. Each user Uj in Ch contacts 
a subset of a certain size of good servers belonging to C, requesting a key for 
the conference Ch- We denote this key by K/,. Each good server Si, contacted 
by user Uj, checks0 for membership of Uj in Ch', if Uj G Ch, then S t computes 

1 We do not consider the underlying authentication mechanism involved in a key 
request phase. 
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a value . = F(ai,j,h), where F is a publicly known function. Otherwise, S* 
sets i/j j =_L (a special value which conveys no information about Kh). Finally, 
Si sends the value y(j to Uj. Note that a bad server can either refuse to reply 
or it may send some incorrect value. 

Key- Computation Phase. Having received the values from the servers, each user 
Uj in Ch computes kh from a certain majority of the values received. 

Roughly speaking, a Verifiable DKDC must satisfy the following properties: 

- Correct and Verifiable Initialization Phase. When the initialization 
phase successfully terminates, any good server S t must be able to identify 
the subset of good servers and to compute his private information a*. 

- Consistent Key Computation. Each user in a conference Ch QU must 
be able to compute the same conference key, after interacting with a subset 
of good servers of a certain size. 

- Conference Key Security. A conference key must be secure against at- 
tacks performed by coalitions of bad servers, coalitions of users, and hybrid 
coalitions of a certain size consisting of servers and users. 

Let b be an upper bound on the number of bad servers during any phase of 
the protocol, and let t > b denote a sufficient number of parties to reconstruct a 
possible conference key. In a more precise way, we state the following definition: 


Definition 1. Let b,t and n be integers such that n > t and t > b. Let U = 
{17i, . . . , U m } be a set ofm users, and let S = {Si, . . . , S„} be a set ofn servers. 
Finally, let C C 2 U be the set of conferences and let Q C 2 U be the set of tol- 
erated coalitions. A verifiable (b,t,n,C,Q)- Distributed Key Distribution Scheme 
(for short, ( b,t,n,C,Q)-VDKDS ) is a three-phase protocol consisting of an Ini- 
tialization Phase, a Key Request Phase, and a Key Computation Phase, which 
enables each user in Ch € C to compute a common key Kh by interacting with 
at least n — b servers of the network. More precisely, the following properties are 
satisfied: 

1. After the initialization phase, each good server computes his private infor- 
mation and verifies its consistency with the information received and stored 
by the other good servers. At least n — b servers successfully complete this 
phase and each of them construct the same (public) list £ containing the 
identities of the good servers. 

2. Each user in Ch € C can compute the common key Kh by contacting the 
servers in C. At least |£| — b > t of the |£| servers give good answers, from 
which the user reconstructs the key. Any t good answers are sufficient to 
reconstruct the key. 

3. Each conference key is completely secure against coalitions of users G € Q ; 
coalitions of servers of size less than b; and joint coalitions of at most b 
servers and users in a subset G £ Q. 



350 Paolo D’Arco and Douglas R. Stinson 


Basically, in the above model, we assume that at most b servers can misbehave 
during the initialization phase of the system, and during the key request phase. 
Moreover, these two subsets of bad servers can be different: in other words, we 
assume that the adversary is mobile. Notice that a crash of some of the servers 
in the above model can be seen as a simple type of misbehavior. 

3 A Verifiable Secret Sharing Scheme 

The main component of our (b, t,n,C, £7)-VDKDS is a Verifiable Secret Sharing 
Scheme (VSS, for short). Loosely speaking, in a VSS Scheme, a Dealer shares a 
secret among a set of participants in such a way that each participant can verify 
if the shares he gets, from the dealer during the distribution phase and from the 
other participants during the recovering phase, are consistent with the secret. 
VSS schemes were introduced in 0. 

In this section we describe the VSS we are going to use. It is a slightly 
modified version of the scheme proposed by Stinson and Wei in m , whose round 
complexity has been improved by applying the technique recently described in 

0. Due to the use of a symmetric polynomial, the scheme of PH, enhanced 
with the ideas of [EJ, is a bit more efficient than the scheme described in jH] 
with the same parameters (i.e., when b < §). Notice that, in the following 
construction, the dealer, after sending messages during the initialization phase, 
becomes inactive. In fact, as we will argue later, he can be completely substituted 
by a joint computation performed by the servers of the system. 

First of all, we recall the definition of a VSS. 

Definition 2. Let V be a dealer and let Pi, . . . , P n be n participants connected 
by secure channels and having access to a broadcast channel. Moreover, let A be 
an adversary that can corrupt up to b of the participants (including the dealer). 
Assume that n is a protocol consisting of two phases, Share and Reconstruct, 
and let S be a set of possible secret values. At the beginning of Share, the dealer 
inputs a secret s £ S. At the end of Share each participant Pi outputs a boolean 
value veri . At the end of Reconstruct each participant outputs a value in S. 
The protocol tt is an ( n , t, b, S ) Unconditionally Secure Verifiable Secret Sharing 
Scheme if the following properties are satisfied: 

1. If a good player Pi outputs veri = 0 at the end of Share, then every good 
player outputs veri = 0. 

2. If the dealer is good, then veri = 1 f or every good Pi . 

3. If at least n — b players Pi output veri = 1 at the end of Share, then there 
exists an s' £ S such that the event that all good Pi output s' at the end of 
Reconstruct is fixed at the end of Share and s' = s if the dealer is good. 

4- If |<Sj = q, s is chosen randomly from S and the dealer is good, then any 
coalition of at most t — 1 participants cannot guess, at the end of Share, the 
value s with probability greater than | . 

The scheme we are going to use works as follows: let t, b be two integers such 
that n > t+3b and t > b. Let S = GF{q) be a finite field and let a; be a primitive 
element in GF(q). All computations are done in the field GF(q). 
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— When T) wants to share a secret value s e S. he chooses a random sym- 
metric polynomial 

f(x,v) = 'Y^2a ij x' > y J , 

where aoo = s and a.;, = a,-, for all i,j. Then, for each k, V sends hk(x) = 
f(x,ui k ) to Pk through a secure channel. At the same time, for each i, Pi 
generates and sends to every Pk a random value fj*, 6 GF(q) through a 
secure channel. 

— After receiving hk(x) from D and rife, . . . , r n k from the other participants, 
each Pk broadcasts the value hk{oJ l ) + rk£ + rgk, for each £^k. 

— Each Pi computes the maximum subset G C {l,...,n} such that any 
ordered pair (£, k) € G X G is consistent, i.e. such that hk{uj e )+rke+rek = 
he(ui k ) + rik + rkt- If \G\>n— b, then Pi outputs ven = 1. Otherwise, Pi 
outputs vert = 0. 


Reconstruct. 

— Each Pi sends hi (0) to each Pk , where i € G, the set of good participants 
after Share. 

— After receiving the hi(0)’s, Pk computes a polynomial /*,((), y) such that 
/fc(0, oj i ) = h,(0) for at least n — 26 of the data he has received. This 
operation can be done efficiently, for example, either using the methods 
described in GEj, or using error correction techniques for Reed-Solomon 
Codes jTHj . 

— Pk computes and outputs s' = fk( 0,0). 


The security of the protocol can be shown along the same line of Theorem 2 
in PH- Our only change in the protocol is to Share where, instead of using the 
secure channels for the check of consistency of the shares the dealer T> distributes, 
we use random one-time pads and the broadcast channel as in |HJ. With this trick 
we save one round of communication, compared to m 

4 A Verifiable Distributed Key Distribution Scheme 

Using the VSS described in the previous section, we describe a simplified version 
of a Verifiable DKDS. We assume that a Dealer V initializes the system but, as 
we will show later, this assumption can be easily removed. Our scheme provides 
A wise independent conference keys, i.e., the £-th conference key is uniformly 
distributed over the set of possible values, even if an adversary already knows 
l — l previous conference keys. It works as follows: 
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Set Up Phase. 

— Let Ig be the maximum number of conference keys that a group G can 
compute. Assume that £ > maxGeO^G- The dealer chooses a random 
polynomial K(x) = J^/Zn k z x z . The conference key for C s is defined by 
Ks = K{s). 

— Then, for each coefficient k z of K ( x ) the dealer runs £ independent copies 
S z of the VSS described before, where the secret that E z distributes 
among the servers is k z . 

— Each server Si stores the £ univariate polynomials h k °(x), ...h!° e ~ 1 ( x) sent 
by the dealer during the executions of the Share Phase of the £ z ’s, and 
publishes the list of good servers he has found. 


In a VSS, the reconstruction of the secret is done by the participants (i.e., 
the servers in our setting) while in a DKDS each user of a given conference 
contacts the servers, receives some information and computes the common key 
by applying a public function to the values received. A straightforward “solution” 
to this different scenario could be that each server S t sends, according to the VSS 
scheme, the values of his polynomials evaluated in zero, i.e., h k °( 0), . . . , h ke ~ 1 { 0), 
to the users. But this is insecure, because, in this case, the user reconstructs all 
the keys! Thus, we need a different approach. Basically, the values sent by the 
servers must enable them to compute a single key, namely, the one the user is 
asking for. 


Key Request and Key Computation Phases. 

— User Uj £ C, asks a subset of good servers of size at least n — b for the 
key k s . 

— Each server S z computes 

hi{ 0) = h k ° (0) + h k P (0)s + • • • + ' (0 )s <_1 , 

and sends h z ( 0) to the user. 

— The user interpolates a polynomial h(x) such that h(u> z ) = hi( 0) for at 
least n — 2b of the values received. Then, he recovers k s = h( 0). 


Correctness. The correctness of the construction can be shown as follows: ac- 
cording to the VSS scheme described in the previous section, each coefficient 
of K{x) can be recovered by applying the Lagrange formula. More precisely, 
assuming that the first t servers are good servers, we have 

kj = ^ h k P (0)6j, where — J^[ — — j- 
*= 1 ^ 
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Notice that, 

K(s) = ko + kis + • ■ ■ + ke~is ( 1 

= E h: (0)6j + (E ^ (0)fc»)« + • • • + (E ^ _1 (°)^) s ' _1 

i=l z=l i=l 

= + ■ • ■ + = E^°) 6i = &(°) = 

i=l i= 1 

In general, since the user does not know a priori which servers send correct 
values, he needs to interpolate a polynomial h(x) which agrees with at least 
n — 26 of the values received, which can be done efficiently by applying the 
techniques given in [IS] or in [TD], exactly as in the VSS. Finally, he recovers the 
common key by evaluating h(x) at x = 0. 

A One-Time Scheme (Toy Example). In order to give to the reader a concrete 
idea of the protocol, let us consider the following example: let q = 7, oj = 3, 
n = 5, t = 2 and b = 1. The dealer defines the keys as points belonging to 
K(x) = 3 + 5ai(mod7) and, to share the coefficients 3 and 5, he chooses two 
symmetric bivariate polynomials, say 

/ 1 (a;, y) = 3 + 5x + by + 3xy and / 2 (x, y) = 5 + Ax + Ay + Axy. 

Therefore server Si, whose public identity is defined by a gets two polyno- 
mials h)(x) = f 1 (x, ui l ) and h'f(x) = f 2 (x, xi l ). More precisely, the polynomial 
distributed are listed in the following table 


Server 

identifier 

hi {%) 

hi( x ) 

Si 

w 1 =3 

4 

3 + 2x 

s 2 

uP = 2 

6 + Ax 

6 + 5a; 

S3 

a, 3 =6 

5 + 2x 

1 

s 4 

w 4 =4 

2 + 3a; 

4a; 

S 5 

uP =5 

6a; 

4 + 3a; 


The value of the conference key k 3 = 3 + 5x3 mod 7 = 4. Assume that 
servers Si and +2, belonging to the list C of good servers, send to a user in 
C3 correct values in order to enable him to recover K3. More precisely, the user 
gets from Si the value 4 + 3 x 3 = 6 and the value 6 + 6x3 = 3 from S- 2 - 
Using the public identifiers of Si and S2, the user sets up the two pairs of 
values (3,6), (2,3), and by applying the Lagrange Formula, he interpolates the 
polynomial P(x) = 3 x x — 3 mod 7. It is easy to see that P(0) = 4, and hence 
the user recovers K 3 . Moreover, assuming that S5 was bad in the set up phase, 
the user gets from the other “supposed to be good” servers S3 and S4 the values 
2 + 0 x 3 = 2 and 0 + 4 x 3 = 5 (if they are honest). These values belong to 
the polynomial interpolated. Notice that, assuming that Si and S2 send correct 
values (i.e., are honest) and since at most one server (i.e., 6 = 1) can send an 
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incorrect value during the key request phase, at least one of the values send by 
S 3 and £4 must agree with P(x). 

Security. The security of the protocol can be shown by considering the following 
possible cases: 

— Coalition of Users. As long as a group G e Q does not recover more than 
£ conference keys and, more precisely, does not obtain information from 
the servers for more than £ conference keys, the group cannot compute any 
information about another conference key in an information theoretic sense. 
This property easily follows from the assumption that the conference keys 
are values of a polynomial of degree l— 1 (i.e., they are f-wise independent). 
By the £-wise independence, it is easy to see that a coalition holding l — 1 
pairs (s, k s ), for any choice of an l- th pair (s', k s >) can interpolate a different 
polynomial of degree £ — 1. Hence, the £-th key is unconditionally secure. 

— Coalition of Servers. By the property of the VSS, any coalition of b servers, 
even putting together all the information received during the set up phase, 
cannot compute any information about any conference key, because each 
coefficient of the polynomial determining the keys is shared in the VSS by a 
f-degree polynomial, where t > b. Moreover, users reconstruct the conference 
keys even if at most b servers are bad during the initialization phase and at 
most b (possibly different) servers send incorrect information to the users 
during the key-request phase. Hence, in this case, the security follows from 
the security of the VSS (see, e.g., Theorem 2 in El). 

— Coalitions of Users and Servers. The worst scenario we have to consider is 

when b servers collude with a group of users G € G who has run the protocol 
many times, recovering a bunch of conference keys. For example, assuming 
that the bad servers are Si, ... ,Sb, the information the coalition possesses is 
given by the partial polynomials h^ a (x ), ..., h'l e ~ 1 (x ), ..., h%°(x ), ..., (x) 

plus the values received by the users during the previous executions of the 
protocol in order to retrieve some conference keys. As the previous cases have 
shown, the two types of information by themselves are useless in order to 
find out information about a new key. However, it is not difficult to see that 
even the joint knowledge of this information does not help, since the coalition 
does not have “enough points” to interpolate a new key. Actually, any new 
key can still assume any possible value, for each choice of the values that 
should be provided by a group of at least t—b other servers (i.e., perfectly 
secure). 

Remark. The Dealer V can be easily removed from the above protocol since it 
can be removed from the VSS scheme, as shown in PH: each participant, during 
Share, chooses a different secret value and executes the protocol. The real shared 
value is given by the sum of the values chosen by the good participants. Along 
the same line, each server of the system, during the initialization phase of the 
VDKDS can act as the dealer, choosing a different polynomial. In this case the 
keys are points of the polynomial obtained by summing up the polynomials chosen 
by the good servers. The presence of the dealer has been used only to simplify 
the description of the protocol. Moreover notice that the assumption that there 
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are at most b bad servers in this scenario implies that the Share Phase of the 
VSS protocol is always successfully completed by the good servers. 

5 Proactivity 

The concept of proactive security was introduced in HU and applied to the secret 
sharing setting in [2J. Basically the idea is that, if the information stored by the 
servers in order to share a given secret stays the same for all the lifetime of 
the system, then an adversary can eventually break into a sufficient number of 
servers to learn or destroy the secret. On the other hand, if time is divided into 
periods , and at the beginning of each period the information stored by the servers 
in a given time period changes (while the shared secret stays the same), then 
the adversary probably does not have enough time to break into the necessary 
number of servers. Moreover, the information he learns during period p is useless 
during period p+i, for i = 1,2 So, he has to start a new attack from scratch 
during each time period. 

The design of a Proactive YDKDS easily follows once we have a Proactive 
VSS. Therefore, in the following subsections we address the construction of un- 
conditionally secure proactive VSS. Notice that, in 1X21 > a simple solution to set 
up a Proactive VDKDS was given, but as we show in Appendix A, it does not 
work. 


5.1 An Unconditionally Secure Proactive VSS 
for b < ^ — 1 Bad Servers 

The first unconditionally secure proactive VSS was proposed by Stinson and 
Wei in El, where proactivity is added to the basic VSS described before. A 
generalization of that scheme has subsequently been given in ng. We start by 
analyzing a weakness of the scheme given in El, and we show how it can be 
used to attack the proactive security property. Then, we show a variation of the 
scheme that solves the problem. Moreover, we describe another technique that 
can be used to add proactive security to both VSSs given in El arK -l EJ for the 
case in which the number of bad servers is b < j — 1 . 

Let t > 6+1. We assume that time is divided in periods p = 1,2,...,. Each 
good server, at the beginning of the new period, performs the steps given in the 
table of the next page to renew the shares 121. ■ Unfortunately, the symmetry of 
the polynomial r^(x, y) can be used by bad servers to break the scheme. Indeed, 
during step 2, server P( broadcasts the polynomial hf^x) = r f (x, 0) = r f: (Q. y). 
Hence, any server can compute the values h e 0 (uj k ) = r t ( 0,u; k ) = h e k (0) for k = 
1, . . . , n. Then, in step 6, each good player P m updates his own share h m (x) by 
adding the At this point notice that, according to the VSS, the 

only part of the share h m (x) used to reconstruct the secret is h m { 0), the first 
coefficient of the polynomial, which is updated by Y^kec h k n (Q). 

But this sum can be computed by everybody using the public broadcasts 
in step 2. The consequence is that if a passive adversary breaks into server P m 
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Renewal 

1. Each server Pi selects a random symmetric polynomial 

where roo = 0 and ry = rji for all i,j. 

2. Pi sends h k (x) = r e (x,ui k ) to Pk for k = 1, 2, . . . ,n by a secure channel, 
and broadcasts ho(x) = r e {x, 0). 

3. Pk checks whether h f 0 (0) = 0 and h k ( 0) = h e 0 (uj k ). If the conditions are 
satisfied, then Pk computes and sends to Pm the value h k (uj rn ) . Otherwise 
Pk broadcasts an accusation of Pi. 

4. Pm checks whether > fc ) = hfc(u» m ) for all values of i not accused by 
n — b servers of the system. If the equation is not true for more than b 
values of k, then P rn broadcasts an accusation of Pe. 

5. If Pi is accused by at most b servers, then he can defend himself as follows: 

For those Pi he is accused by, Pt broadcasts h\ (a;) . Then, server Pk checks 
whether hf(cu fc ) = and broadcasts “yes” or “no”. If there are at 

least n — b — 2 servers broadcasting yes, then Pi is not a bad server. 

6. Pm updates the list of good servers C (i.e., all the values l for which Pi 
is accused by at least 6+1 servers, or found bad in the previous step are 
not in C). Then, P m updates its shares as 

h m (x)^h m (x)+h k m (x) 

for all k G C. 


during period p, he can still use the share /i m (0) during periods p + i because he 
can compute all the updates for this coefficient performed between period p and 
period p + i. More precisely, if the adversary learns the shares hi(0),..., h b (Q) 
held by Si,..., Sb during period p, and he learns /if )+ i(0). . . . , hb+ s { 0) held by 
Sb+i, ■ ■ ■ , Sb+s during period p + 1 (the adversary is mobile), then, he can com- 
pute the new shares held by Si , . . . , S b during period p+1 from hi (0), ... , h b (Q) 
and the broadcasts of period p + 1, and if b + s > t he can recover the secret. 
Hence, the proactive security property is lost because the renewal scheme does 
not render useless the shares learnt during the previous period. Exactly the same 
strategy can be applied to break the Renewal procedure given in which is 
a generalization of the one given in m 

Basically, the problem in the above procedure is due to the broadcast in Step 
2 of ho(x), needed to verify that the update does not destroy the secret, and 
the symmetry of r ( (x, y). We propose two solutions. The first one changes the 
structure of the renewal phase in order to avoid the broadcast. The second keeps 
the same structure as before, but removes the symmetry property of r f: (x, y). 
Let us describe the first approach: We would like to refresh the shares still 
by summing up “new shares” derived from a random symmetric polynomial 
r(x, y ) = S,=o r i,j x ' L y 1 whose known coefficient is ro.o = 0. Indeed, this 
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property guarantees that the secret stays the same. However, some server P \ 
can be bad and can choose a polynomial r e (x,y) where ro,o ^ 0. In order to 
prevent this problem, avoiding the broadcast, we generate r(x,y ) as r(x. y) = 
(x + y)r*(x, y), where r*( x, y) = Sj=o r i,j x% y : ’ ' s given by the sum of the 

partial choices r f: (x, y) = Xa=o r \.j xl y : ’ of the good players Pi. and the 

term ( x + y) is introduced by each server through a private computation. In 
this way, the condition ro,o = 0 is surely satisfied and the polynomial remains 
symmetric. From a technical point of view, the degree of r(x,y) must be i — 1 . 
in order to enable the reconstruction of the secret. Hence, due to the generation 
rule for r(x,y), every r l (x, y) must have degree t — 2. 


Renewal 

1. Each server Pi selects a random symmetric polynomial 

r e (x,y) = J2J2 ri ’i x V, 

where = rji for all i,j. 

2. Pg sends h k (x) = r e (x,ui k ) to Pk for k = 1, 2, . . . , n by a secure channel. 

3. After receiving h e k (x), P k computes and sends the value h e k (ui m ) to P m , 
for m = 1, . . . , n, by a secure channel. 

4. P m checks whether > fc ) = h k (aj m ) for k = 1, . . . , n. If the equation is 
not true for more than b values of k. then P m broadcasts an accusation of 

Pi- 

5. If Pi is accused by at most b servers, then he can defend himself as fol- 

lows: For those Pi he is accused by, Pi broadcasts h\(x). Then, server 
P k checks whether = h k ( u/) and broadcasts “yes” or “no”. If, for 

every broadcasted h\(x), there are at least n — b — 2 servers broadcasting 
yes, then Pi is not a bad server. In this case, if Pi has an hf (x) different 
from the one that Pi has broadcasted, then he stores the broadcasted one. 

6. P m updates the list £ of good servers (i.e., the servers found bad in the 
previous step are not in £) and updates his share as 

h m (x)^hm(x) + (x+U m )h* m (x) 

where hm(x ) = Y^iec hin( x )- 


Notice that the above procedure is a slightly revised version of the one we 
initially proposed 0: it incorporates the observations and the work done by 
Nikov et al. j I fij on our preprint [ZJ. See f I fij for details. 

Security (Sketch). The security of the above protocol can be shown by proving 
that the secret stays the same and the update of the shares cannot be computed 
by a coalition of bad servers. Concerning the first property, notice that the secret 
s is shared by the VSS by means of hi (x ), ... , h n (x). More precisely, it is the 
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first coefficient of the polynomial h(x, 0). Since during Renewal each server P m 
computes a new share as h rn (x) <— h rn (x) + (x + ai m )h'* m (x), implicitly the secret 
becomes the first coefficient of the new polynomial h(x,0 ) + xh'*(x, 0), where 
xh*(x, 0) is zero when evaluated at x = 0. Hence, the secret stays the same. 

About the security of the update, notice that if the adversary controls 6 
servers, say Si , ..., S b , he can compute at most b < t— 1 points /^(w 1 ), ..., h* rl (uj b ), 
which give no information about the polynomial h* n (x) used by P m to update his 
share for any m (fc {1, . . . , b}. Moreover, due to the random choices performed at 
each executions of Renewal, it is not difficult to check that the adversary cannot 
use the information learnt in period p during period p + 1 or in any other period. 
Finally notice that, during step 4, a good server P \, in order to defend himself, 
broadcasts at most b polynomials h e k {x), corresponding to the Pk he is accused 
by. Assuming that t > 6+1, the polynomials broadcasted give no information 
about r e (x,y). This implies again that an adversary can gain no information 
about h f rn (x), for every P m not belonging to the coalition of corrupted servers. 

During each time period, the servers need to check if some of them have been 
corrupted by the adversary. Indeed, those servers should be rebootecfl in order to 
recover a correct functionality. The following procedures enable the detection of 
corrupted servers and the recovering of good shares, once the corrupted servers 
have been rebooted J2IJ. 


Detection 

1. Pe computes and sends hi(w k ) to Pk for k = 1, 2, . . . , n by secure channels. 

2. Pk checks whether hi(w k f » hk(uj e ). Pk then broadcasts an accusation 
listk which contains those l such that he(ui k ) ^ hk(w e ) or hi{u> k ) was not 
received. 

3. Each good server updates the list £ so that it does not contain those i 
accused by at least 6 + 1 servers of the system. 


Recovery. 

1. For each £ £ C, every good server Pi computes and sends 6i(u/) to Pe. 

2. Upon receiving the data, Pi computes the polynomial hi(x) that agree 
with the majority of the values he(ui k ) he has received. Pi sets hi(x) as 
his new share. 


2 We can assume that there is a distributed rebooting scheme enabling a majority of 
servers to decide to reboot some other servers when they detect that such servers 
have been corrupted. Otherwise, the system manager who installs the programs, is 
alerted by the good servers and reboots the bad ones 0 . 
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To understand the above procedures, notice that, when the secret is shared 
by means of the VSS, the shares held by P t and Pj satisfy hi ( uj j ) = hj( a/). 
This property even holds for the polynomials h* ( x ) and h* ( x ) generated during 
Renewal. Moreover, due to the choice of the updating rule, i.e., h rn {x) <— h rn (x) + 
(x + w m )/i^(a;), the symmetry /ij(a+) = hj(u l ) is still mantained after every 
update phase. 

These three protocols provide the VSS scheme described in the previous 
section with proactive security, and they can be used, as we show later, to set 
up a proactive VDKDS. 

The second approach for adding proactive security to the basic VSS given in 
m relies on the use of a generic (non-symmetric) polynomial r f (x. y). Let us 
consider the following procedure: 


Renewal 

1. Each server Pi selects a random polynomial 

Ax,y) = Y^ i r i , j x V, 

where roo = 0. 

2. Pi sends f£(x) = r e (x, u> k ) and g£ (y) =# i Jt (w k , y ) to Pk by a secure channel, 
and broadcasts go(x) = r e (x,0). 

3. Pk checks whether g£(0) = 0, go{w k ) = gi( 0), and fl(w k ) = gl.(oJ k ). If the 
conditions are satisfied, then Pk computes and sends the value fk{w m ) to 
Pm by a secure channel, for m — 1, , n. Otherwise, Pk broadcasts an 
accusation of Pi. 

4. P m checks whether /f( w m ) = gm(w k ) for all values of l not accused by 
n — b servers of the system. If the equation is not true for more than b 
values of k, then P m broadcasts an accusation of Pe. 

5. If Pi is accused by at most b servers, then Pi can defend himself as follows. 

For those Pk he is accused by, Pr broadcasts f£{x) and gi(y)- Then, server 
Pi checks whether w l ), Sfe(w’) = /|(w fc ), and broadcast “yes” 

or “no”. If, for every broadcasted pair of polynomials {f£{x), gi (j/)), there 
are at least n — b—2 servers broadcasting yes, then Pi is not a bad server. 
In this case, if Pk has a pair (f£(x), gi(y)) different from the one that Pi 
has broadcasted, then he stores the broadcasted one. 

6. P m updates the list of good servers C (i.e., the values i for which Pi is 
accused by at least 6 + 1 servers, or found bad in the previous step are not 
in £.). Then, P m updates his share as 

h m {x) -f- hm{x) + fm{x) 

for all k G C. Moreover, he updates his information for verification (which 
is 5m ( y ) = h m ( x ) at the first execution of Renewal) by setting 

gm(y) +- ffm(y) +5rn( v) 

for all k € C. This information is used in the Detection procedure. 
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Security (Sketch). The security of the protocol follows from the following ob- 
servations: first of all notice that from the broadcast g(,(x) = r e (x, 0) ^ r e (0,y), 
the value 0) = r e (0,u> k ) cannot be computed. Moreover, every participant, 
during steps 3 and 4, checks that the update does not destroy the shared secret, 
and that the polynomials they have received are consistent. Moreover, as we 
have already seen before, the condition t > b+1 ensures that the polynomials 
broadcasted in step 5 by Pi, to defend himself against at most b bad Pj, do 
not give any information about r e (x,y), and hence do not give any information 
about f( n (x) for any P m not belonging to the coalition of bad servers. 

This procedure can be applied to both VSSs given in m and |E| when 
b < ^ — 1. In fact, when applied to the scheme in 0, the polynomial g m (y) 
in Step 5 at the first execution of Renewal is already different from h m (x): it 
is the polynomial g m (y) used for verification given by the VSS described in 0. 
Actually, the above procedure has the structure of the procedure given in |ZH> 
but it has been modified according to the design of the VSS given in 0 . 

The following protocols enable the detection of corrupted servers and the 
recovering of good shares for the rebooted servers. 


Detection. 

1. Pe computes and sends he(ui k ) to Pk for k = 1, 2, . . . , n by secure channels. 

2. Pk checks whether ht(ui k ) = gk(uj e ). Pk then broadcasts an accusation 
listk which contains those t such that he(u> k ) ^ Sfc(u/) or hi{u> k ) was not 
received. 

3. Each good server updates the list C so that it does not contain those i 
accused by at least b + 1 servers of the system. 


Recovering 

1. For each t £ £, every good server P, computes and sends hi(w e ) and gi{w l ) 
to Pi. 

2. Upon receiving the data, Pi computes two polynomials he(x) and gt.(y) 
that agree with the majority of the values hi(w k ) and gi(w k ) it has re- 
ceived. Pi sets hi (x) as its share and ge(y) as its verification information. 


We would like to point out that both the Renewal phases described before 
can be implemented by using random one-time pads and the broadcast channel, 
instead of using secure channels for the checks of consistency of the shares. 
Such an approach enables saving one round of communication, but the resulting 
procedures are perhaps less readable than the previous ones. 


5.2 A Proactive VDKDS 

At this point, we have all the tools to set up a Proactive VDKDS. To summarize: 
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— In the protocol for a VDKDS, described in Section 4, the keys are values of a 
polynomial whose coefficients are (verifiably) shared among the servers. More 
precisely, to set up the DKDC, each server P m chooses a random polynomial 

t-i 

K m (x ) = £*4 m) xA 

z=0 

Then, P m uses £ different instances of the VSS given in Section 3, i.e., one 
for each coefficient, to distribute in a verifiable way the coefficients of his 
polynomial K m (x). According to the VSS, each server Pfc receives £ polyno- 
mials from P m , one for each coefficient k^. The conference key for C s is 
then defined to be k s = K(s), where 

*(s) = !>**= £*"*(*) 

2=0 mec 

and C is the list of good servers. At the end of the set up phase, every server 
Pk stores £ polynomials, . . . , h^ e ~ 1 (x), each sharing one coefficient 

of K(x), by summing up the partial shares/polynomials received for each 
coefficient kg from servers P m belonging to the list of good servers. 

- Therefore, a straightforward solution to gain proactive security could be to 
directly apply, at the beginning of each time period, the Detection, Recov- 
ery and Renewal procedures for each coefficient of the polynomial K(x), 
generated by the good servers during the set up phase of the system. 

6 Conclusions 

In this paper we have shown how to set up a Robust Distributed Key Distri- 
bution Scheme, enabling a set of servers to jointly realize a Key Distribution 
Center. We have used unconditionally secure verifiable proactive secret sharing 
schemes as a building block. As well, we have revised the unconditionally secure 
VSS described by Stinson and Wei in I2H, proposing a modified version which 
is proactively secure. Moreover, we have given proactive routines that can be 
applied to both schemes given in ft 1 I8j when b < Since the proactive security 
property can be useful in several settings in which the adversary is mobile, the 
applicability of such schemes has independent interest of the specific application 
to key distribution that has been addressed in this paper. In the full version of 
the paper we will provide complete proofs, and the case in which the number of 
bad servers is b < ^ will be considered as well. 
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A A (k,n,C, £)-DKDS 

In a (k, n. C, £?)-DKDS, each user can compute a common key by interacting 
with any fc-subset of the n servers at his choice. In (33 , a construction based on 
bivariate polynomials for a (k, n,C, £?)-DKDS was proposed. Basically, it works 
as follows: Each of the servers Si, . . . , Sk, performing the initialization phase, 
constructs a random bivariate polynomial P l (x, y) of degree k — 1 in x, and l — 1 
in y, and sends Qj(y) = P z {j,y) to the server Sj, for j = 1, . . . ,n. Server Sj 
computes his private information, Qj(y), by adding the k polynomials received 
from Si, ... ,Sk- A user who wants to compute a conference key, Kh, sends to (at 
least) k servers a key request. Each server Sj, invoked by the user, checks that the 
user belongs to Ch, and sends to the user the value Qj(h). Using the k values 
received from the servers, and applying the Lagrange formula f 
interpolation, each user in Ch recovers the secret key P(0, h) = 

(see P3j f° r details). 

The construction is correct and secure, according to the model considered in 
m- In order to introduce verifiability and proactivity, the following approach 
was suggested in EJ. Time is divided in periods. At the beginning of period t, 
for i = 1 , ... ,k, each server Si performing the initialization, chooses a random 
polynomial P/(x, y) of degree k 1 in x and £—1 in y such that P/( 0, h) = 0 for 
each h £ Z q . Then, for * = 1 , ... ,k, server Si sends, for j = I ..... n, the univari- 
ate polynomial Qjj{y) = P\ (j, y) to server Sj, and broadcasts the univariate 
polynomial Pf(x, c), where c is a public point. Then, for j = 1 , ... ,n, server 
Sj checks that Pf(x, c) evaluated in x = 0 is zero (i.e., P/(0,c) = 0) and that 
the broadcasted polynomial is consistent with Q\ j{y) (i.e., Q\ .j{c) = P* (j, c) ) . 
Finally, if the check is satisfied, Sj updates his private information by comput- 
ing Qj{y) 4— Qj(y) + Ei=i Q\,j{v)- Unfortunately, a server sending information 
during the update phase can cheat, as shown by the following example. 

Example. Let us consider a (3, 3, C, £?)-DKDS. The polynomial Pf(x, y) cho- 
sen by Si at the beginning of the period in order to update the system is of degree 
2 in x and £—1 in y. A cheating ,S', can choose Pf(x,y) = a + byx + b^x 2 + Py (y) 
where a = —Py(c) and Py(y) = X«=i PjV' 1 ■ It is not difficult to check that 
Pf( 0, c) = 0 and that P/(x, c) = b\X + b- 2 X 2 is equal to Qjj (y) when the first one 
is evaluated in j and the second one in c. But P/( 0, d) ^ 0 for any d ^ c. 


:>r polynomial 

Ei=i pi (°, h ) 
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Abstract. We study how digital signature schemes can generate signa- 
tures as short as possible, in particular in the case where partial message 
recovery is allowed. We give a concrete proposition named OPSSR that 
achieves the lower bound for message expansion, and give an exact se- 
curity proof of the scheme in the ideal cipher model. We extend it to 
the multi-key setting. We also show that this padding can be used for an 
asymmetric encryption scheme with minimal message expansion. 

Keywords: digital signature, padding, random oracle and ideal cipher 
models, proven security. 


1 Introduction 

1.1 Overview of the Results 

A digital signature scheme allows a signer to transform an arbitrary message 
into a signed message, such that anyone can check the validity of the signed 
message using the signer’s public key, but only the signer is able to generate 
signed messages. A signed message contains the information about the message, 
plus some information to prove its validity. For example in the case of a scheme 
without message recovery, the signed message is the concatenation of the message 
and of a signature. 

The message expansion of a signature scheme is the difference between the 
length of the signed message and the original message. It is the length of the 
signature, if there is no message recovery. We show how to obtain message ex- 
pansion as small as possible, with a concrete scheme having proven security in 
the ideal cipher model. The OPSSR technique is a padding for schemes based 
on trapdoor one-way bijections. Its performance cost is small, and its security is 
similar to the other schemes in the hash-then-invert paradigm. 

The paper is organized as follows. Section 2 describes a formalism for digi- 
tal signature schemes and describes the properties of the RSA trapdoor one-way 
bijection. Section 3 shows what are the lower bounds for message expansion. Sec- 
tion 4 describes OPSSR, which has minimal message expansion. Section 5 raises 
and solves a theoretical problem that arises when having an idealized security 

* Part of this work has been supported by the Commission of the European Commu- 
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model for a multi-key setting. Section 6 discusses open problems. Appendix A 
compares OPSSR with other paddings. Appendix B explains why OPSSR can 
also be used for encryption. 


1.2 Related Work 

Many schemes have been proposed with short signatures ^411 11121171181 , but their 
exact security is not proven to be equivalent to the underlying problem with the 
same parameters, because their security proofs are not tight. Therefore if the 
parameters are chosen to give short signatures, the security of those schemes is 
not proven. 

Partial message recovery can allow one to reduce message expansion when 
having security parameters corresponding to the tightness of the security proof. 
Message recovery has been used to reduce the message expansion in the PSS 
scheme j2|, the Pintsov-Vanstone scheme |Hj or the DSA-like schemes jXZ| ■ But 
those schemes do not achieve minimal signature length. 

Coron P has shown how to reduce the length of the random salt in PSS, to 
improve the amount of message recovered, and reduce the message expansion. 
But the result of this improvement is still not optimal. 

Coron, Joye, Naccache and Paillier jnj have shown that the PSS padding, 
which was designed for signature, can also be used for encryption. 


1.3 Our Contribution 

We introduce the definition of message expansion which generalizes the notion of 
short signature for schemes with message recovery. We show what is the minimal 
possible message expansion for a given proven security requirement. We describe 
a padding that achieves this lower bound and that can be used with RSA. This 
padding can be viewed as a generalization of PSSR and many other paddings. We 
also show that most current schemes proven secure in a idealized model should go 
under a small modification that increases their security in the multi-key setting. 


2 Definitions 

2.1 Digital Signature Schemes 

Notations. If the variable x represents a value taken from a finite set X of n 
elements, the we say that the size of x is the value = #A = log 2 n, which 
may not be an integer. 

If the elements of X can be represented by bit strings, then jjx = (JAf is the 
length of the bit strings. Of course, < (jx. 

For variables x G X and y £ y, the corresponding element of X x y is written 
as x\\y. This notations comes from the fact that if x and y are bit strings, then 
x 1 1 y is the concatenation of these strings. 
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Definitions. A signature scheme is described by the following four algorithms: 

— a parameter generation Generate : p param, 

— a key generation KeyGen param : p' i-»- (pk,sk), 

— a signature generation Sign param pk sk : (m, r) a 

— and a signature verification Ver paramiP k : (a, r') 4mor reject. 

All these algorithms are deterministic, and the inputs p, p', r and r' (if 
non empty) contain the randomization for the algorithms. They may have some 
specific format. 

Signature schemes with appendix have the property that a = m||s. Signature 
schemes with message recovery usually have the property that a = m||s and that 
the whole message is m = m\\fh, where m is the recovered part of the message. 
They typically have a lower bound for the size of the whole message, which is 
also the amount of message recovered Q Signature schemes with unique signature 
have the property that Ver is injective (with the exception of reject), which also 
implies that Sign does not use any random r (deterministic signature scheme). 

Two signature schemes are equivalent when the following conditions are sat- 
isfied: 

— The possible values of param are the same. 

— The distributions of the pk generated are indistinguishable. 

— Both verification algorithms are the same. 

— The output of the respective Sign operations for fixed m and random r are 

indistinguishable. 


2.2 Security Model and Proofs 

A ( t , e, (j's)-forger is able to make qs queries for signatures and tries to produce a 
new valid signature. It succeeds in time t with probability e. A signature scheme 
with no (t,e,qs )- forger is said to be (f, e, qs)-secure against adaptive chosen 
message attack. This security also means non-repudiation, because it proves 
that only the signer is able to make valid signed messages. 

Weak security means that the forgery should be a valid signed message for 
a message that was not the input of a query. Strong security means that the 
forgery should be a valid signed message that was not the answer of a query. 
These notions are equivalent if the scheme has unique signature. 

The security level of a scheme is k bits if there exists no (t, e, qs )- forger with 
log 2 (t / e) < k. This value k depends of the time unit used for t. 

Please note that any (t, e, qs)-forger for a signature scheme is also a (t, e, q$)- 
forger for all equivalent signature schemes. 

A mathematical problem is (t 1 , e'j-secure if there exist no algorithm that 
solves an arbitrary instance of the problem in time t' with probability better than 
c. The difficulty is k' bits if there exist no (t', e')-solver with log 2 (t , / £/ ) < ■ 

1 This lower bound can be overcome by storing the length of the actual recovered part 
in fh. E.g. by padding m with a 1 followed by a string of 0. With this padding, one 
bit of message expansion is added. 
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A proof of security is the description of how to construct a (t', e')-solver 
(called reduction algorithm) when given access to a ( t , e, gg) -forger. The reduc- 
tion simulates an equivalent signature scheme and answers signature queries from 
the forger. The forgery is used to solve the problem. The reduction does not al- 
ways succeed, partly because its simulation of an equivalent signature scheme 
may not be perfect, and partly because the forgery may be useless. 

A tight proof of security has t'/e 1 ~t/e. 


2.3 Idealized Models 

An idealized oracle model replaces some components of the verification algorithm 
with calls to an oracle which is simulated by the reduction. The number of 
calls to these oracles is bounded e.g. by qo ■ Because the actual computation of 
the idealized components takes time, a scheme with k bits of security with the 
appropriate time unit always has qo < 2 fc . 

The random oracle model replaces hash functions by calls giving random out- 
put. The generic group model replaces the operations in some group by random 
answers that respect the group laws. The random permutation model replaces a 
fixed permutation by a random one constructed in answer to the oracle calls. The 
ideal cipher model replaces a keyed permutation by a random one constructed 
in answer to the oracle calls. 

A reduction algorithm in a idealized model always gives random answers 
taken from the set of values that are consistent with previous answers. It has a 
total freedom for its answer to the first oracle query, and the other answers should 
not allow the forger to detect that the reduction algorithm took control of the 
oracle. Consistency for a random oracle means that the same input always give 
the same output. For a random permutation, two different inputs have different 
outputs, and queries for the inverse permutation should also be consistent. 

To be able to maintain consistency, the reduction algorithm needs to keep 
tables of the subset of input/output pairs that has been developed to answer the 
queries. In other words, the reduction algorithm constructs the oracle tables. 

The random oracle model is widely used in the literature, the ideal cipher 
model and the generic group model have been used for proving the security of 
some specific schemes. Proofs in these models cannot generically be translated 
into the real world HEU, but it is widely believed that a proof in an idealized 
model give some confidence in the design of a cryptographic primitive. The 
random oracle model and ideal cipher model are very similar and we believe 
that they give similar confidence in cryptographic designs: a random oracle can 
be contructed from ideal ciphers, and it might be possible to build an ideal cipher 
from random oracles. 


2.4 The RSA Trapdoor One-Way Bijection 

Bijection. A bijection with length l is a one-to-one and onto mapping F from a 
set <S with 2* elements to a set C with 2 l elements. It is a permutation if S = C. 
Let l’ be equal to ))<S. 
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One-Way. A bijection with length l is one-way with security k! bits if F is easy 
to compute but finding the preimage for a random y £ £ (i.e. the unique x £ S 
such that y = F(a;)) is a problem with a difficulty of k! bits. Exhaustive search 
in S shows that k! < V . 


Trapdoor. It is a trapdoor one-way bijection if knowing some secret information 
(the trapdoor) makes easy the computation of F _1 . 


Random-Self-Reducibility. The permutation is random-self-reducible if it 
has the following additional property. There exists a probabilistic algorithm R 
that takes an input y £ £ and generates a uniformly distributed value y £ £ 
such that knowing the value of F~ L (y) makes it easy to compute F _1 (y). 

If F is random-self-reducible, then it is always possible to compute F _1 (y) in 
time 2*/ 2 , using the birthday paradox. A table of 2 i - /2 random (x. F(x)) pairs is 
computed. A table of 2^ 2 random y values is generated with R(y). A collision 
F (x)=y gives the value for F _1 (y), from which we deduce the value of F _1 (y). For 
a random-self-reducible trapdoor one-way permutation, we always have k'<l/ 2. 


RSA Permutation. The public parameter is a number n and an odd exponent 
e, the corresponding secret is the factorization pq = n or the inverse e -1 mod 
4>{n). The function F(:c) = x e mod n is a permutation of the set Z* of invertible 
integers modulo n. The trapdoor owner can compute F _1 (:r) = x e mod n. 

This function F is a random-self-reducible trapdoor one-way permutation. Its 
random-self-reducibility comes from the algorithm R that generates a random 
ieZ* and returns y = y ■ x e . Then F _1 (y) = F _1 (y)/i. 

The best known technique to compute F 1 is to compute the factorization of 
n. Here is a table that gives estimates for minimal bit length of n to have some 
given security levels. The problem of the estimation of the difficulty of factoring 
large numbers is the object of some controversies and this table should only be 
understood as a proposal for basing our numbers on realistic estimates. It is 
not an attempt to solve this controversy. It is based on the hypothesis than the 
recent factorizations of 512 bits numbers needed a workfactor of 2 56 and that 
the asymptotic complexity of the number field sieve is around L„[|, 1.9]. 

The formula for the following table is k! = 12 + log (L 2 i [|, 1.9]). 

Modulus length l 512 768 1536 4096 8192 

Bit security k' 56 64 80 128 160 

RSA Bijection. For the RSA permutation the permuted set C is Z* therefore 
the length l is not an integer. If an integer value is preferred, the RSA bijection 
is defined as follows. 

The set £ contains all integers in Z n smaller than 2 l , and S is its preimage 
and l' = [7]. The computation of F (x) for x £ Z n begins with y = x e mod n. If 
y £ £, it is the answer, else x is rejected because it is not an element of S. 
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3 Minimal Message Expansion 

3.1 The Lower Bound 

A simple counting argument shows that for any signature scheme with random 
salt of length ffr and message expansion A, a signed message is valid with prob- 
ability at least l/2* _ # r . Therefore the security level of the scheme is at most 
A -#r. 

Theorem 1. Minimal message expansion for k bits of security is k bits of mes- 
sage expansion and can only be obtained for a signature scheme with unique 
signature. 

None of the previously published techniques achieve this lower bound: they 
don’t allow one to go under 2 k bits of message expansion. Our OPSSR scheme 
achieves this lower bound. 

3.2 Signature Schemes with Appendix 

Coron 0 proved that a signature scheme with unique signature cannot have 
a tight security proof, and that the lower bound for the relation between the 
security k of the scheme and the security k' of the underlying problem is k! ~ 
k + log 2 q s . 

A signature scheme with appendix based on a problem with security k' has 
an appendix of length at least k! . Therefore the message expansion for a deter- 
ministic signature scheme with appendix is at least k + log 2 qs- 

Randomized signature schemes can enhance the tightness of the proof, but 
at the cost of a random seed that appears in the signed message. Each bit of 
gained tightness costs one bit of random seed. 

Theorem 2. The lower bound for a signature scheme with appendix having k 
bits of security against a forger allowed to make qs signature queries is a message 
expansion of k + log 2 qs bits. 

None of the previously published techniques achieves this lower bound, and 
the problem is still open whether it is possible to achieve it or not. 

4 The OPSSR Padding 

4.1 Some Previous Work: PFDH and PSSR 

Quick Introduction. Full Domain Hash was formally described and proved by 
Bellare and Rogaway in j2j . Their proof shows that in the random oracle model 
with at most qn hash queries the security k of FDH is related to the security k' 
of the underlying trapdoor one-way bijection by k! ~ k + log 2 (qH + qs)- Coron 
has shown in jS] that random-self-reducibility helps to improve the proof and 
obtains k! ~ k + log 2 qs- Coron also introduced in [HJ a probabilistic variant of 
Full Domain Hash that we describe below. 
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PFDH. The two components are a random-self-reducible trapdoor one-way 
bijection F and a cryptographic hash function H. The verification of a signed 
message splits a = m||r ||s and says the signature is valid if s £ S and H(rn||r) = 
F(s). It outputs the message m. 

The trapdoor owner signs the message m by first generating a random salt 
r, then computing s = F -1 o Fl(m||r), and returns a = rn||r||s. 

The proof shows that if #r > log 2 qs then k! ~ k and if #r < log 2 Qs 
then k! ~ k + log 2 qs — #r. We can notice that the output length of the hash 
function is equal to the length l of the bijection and that the message expansion 
is l' + #r. Because of random-self-reducibility, V > 2k' . PFDH does not allow 
better message expansion than 2k. 


PSSR. This scheme was introduced in |2| and its optimal proof of security is 
in 0. It is a modification of PFDH by adding recovery of the salt and of part 
of the message. 

The hash function FI has output length 2k and an additional cryptographic 
hash function G with input length 2k and output length l — 2k is needed and is 
modeled as a random oracle. 

The verification splits a = m||s, checks that s e «S, computes a\\h = F(s) and 
fh = a®G(h), and checks if H(m||m)i h. It computes m\\r = m||m and outputs 
the message m. 

The trapdoor owner signs the message m by first generating a random salt 
r, then computing m||m = m||r where fh is l — 2k bits long. Then h = H(m||r) 
and a = m®G(h ) are computed. The signed message is m||F -1 (a||/i). PSS is the 
special case where #r = l — 2k. 

The security proof is very similar to the proof for PFDH and shows that 
PSSR has the same security as PFDH. The addition of G does not weaken the 
scheme because the probability of a collision in the input of G is low. This is due 
to the fact that the input size of G is twice the security level of the scheme. The 
message expansion with PSSR is 2k + #r. PSSR does not allow better message 
expansion than 2k. 


Replacing a XOR with a Block Cipher. The idea of improving a padding 
by replacing a XOR with a block cipher was introduced by Jonsson [Hj for an 
improvement of OAEP+ named OAEP++. The same can be done with PSS. It 
only changes the security properties of the padding when used for asymmetric 
encryption. 

4.2 Basic OPSSR 

OPSSR means Optimal Padding for Signature Schemes with message Recovery. 
We begin with a simplified version of our OPSSR scheme. 

This signature scheme can only sign messages of length l — k. It has two 
parameters: a trapdoor one-way bijection F with length l and security k! and an 
arbitrary permutation E of blocks of size l. The random permutation model for 
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E is used. In practice E can be based on a large block cipher with fixed key 0 
and F can be the RSA bijection. 

Let k be a fixed value of k bits, e.g. 0 fc . Valid signatures are generated by 
to F _ 1 (E _ 1 (to||k)). The verification computes to||i> = E(F(cr)) and checks if 
!)i K. 

Security Proof. We show how it is possible to compute F _ 1 (y) for an arbitrary 
y without knowing the trapdoor, but with access to a forger of OPSSR in the 
random permutation model. 

The number of signature queries is bounded by qs and the number of oracle 
queries (to E and E -1 ) is bounded by qo ■ For all answers to the qo + Qs < 
2 k queries made by the forger, we will need to generate a value y' uniformly 
distributed in £. In this proof, one query has y' = y and all other queries have 
y' = F(x') for a random x' . A table of (y’,x') is stored, enabling the lookup of 

F"V). 

First we send to the forger the description of F. Then we will answer to four 
types of queries and the oracle table is updated according to these answers. 

— In response to a signature query for to, the reduction generates a value ?/ 
and updates the oracle table with y' i— i to ||k. The answer is x' = F ~ 1 (y'). 
The signature query aborts if E (y') was already defined. Since if is uniformly 
distributed in £, and at most 2 k values were defined, this happens with 
probability at most l/2 l ~ k . 

The signature query also aborts if y' = y. This has probability \/2 k . 

— In response to a query for E l (to||k), that is not in the table, a signature 
query for to is simulated. The answer is y' . 

The oracle query aborts if E(y') was already defined. This has probability at 
most l/2 l ~ k . 

The oracle query does not abort if y' = y. If the forger later makes a query 
of a signature for to, then the signature query will abort. 

— In response to a query for E _ 1 (m||u) with v 7 ^ k, a random value y" is 
generated and the oracle table is updated with y" A m\\v. 

The oracle query aborts if E (y") was already defined. This has probability 
at most l/2 l ~ k . 

— In response to a query for E (y"), random to and v are chosen, and the oracle 
table is updated with y" m\\v. 

The oracle query aborts if v = n. This has probability l/2 fe . 

If l > 2k + 1, then no query make the reduction abort with probability more 
than 2~ k . The total probability of non abortion is (1 — l/2 fe ) 2 > 1/e. 

The forger returns a forgery a which is the signature of a message to with 
probability better than l/2 fc . If this message was not in a query for E - 1 (to||k), 
then the signature is valid with probability l/2 fe . Therefore this message was in 
a query for E - 1 (to||k) and a value y' was generated. The reduction can compute 
F l (y) if this forgery corresponds to y = y', which happens with probability 
2~ k . Therefore the success probability of the reduction is the one of the forger 
divided by at most e2 k . 
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The running time t of the (real world) forger includes some actual computa- 
tions of F, E and E 1 . The answer to an oracle query by the reduction algorithm 
needs some table lookups and at most one computation of F. Under the hypoth- 
esis that the time for all these computations are similar, the running time for 
the reduction is yt for some small constant 7 . 

A difficulty level of k' ~ 2k is needed and this scheme has minimal message 
expansion. 

Random-Self-Reducibility. The same technique as in 0 can be used when 
F is random-self-reducible. This technique consists in a change of the way the 
values y' are generated. The full details on how to optimize the parameters can 
be found in Coron’s papers. 

The basic idea is to have a proportion a/qs of the values y' generated with 
the algorithm R. A signature query will abort if such a y' was generated, which 
happens with probability a. However, if the reduction does not abort, then its 
success probability is the success probability of the forger divided by qs/ 01 . 

This idea applies to OPSSR as well and a difficulty level of k' ~ k + log 2 Qs 
is needed and the scheme has minimal message expansion. 

Randomization. The same technique as in m can be used to enhance the 
tightness of the reduction, if F is random-self-reducible. The message m is padded 
with a random salt r before being signed. The signature verification works as 
before but the salt is discarded. 

The reason why this improves the tightness of the reduction is that a much 
higher proportion of the values y' can be generated with the algorithm R, because 
a signature query can choose a value for the salt for which y' = F(a;'). 

This idea applies to OPSSR as well and a difficulty level of k' ~ k + log 2 qs — 
jkr is sufficient when the salt has length #r < log 2 qs- However this randomized 
scheme does not have minimal message expansion, because the salt is recovered 
and the expansion is k + #r. 

4.3 OPSSR 

Basic OPSSR only allows one to sign messages of length l — k. To sign a message 
m of arbitrary length greater than l — k, the message is split m||rh = m where m 
has length l — k bits, m will be transmitted in the clear and m will be recovered 
with the Basic OPSSR scheme. 

The security proof still holds if all answers to oracle queries are independent 
for different values of m. Therefore the functions E and E -1 need to take m in 
their input. For better efficiency, a hash of m is used. 

In practice, OPSSR will use a collision free hash function FI with 2k bits of 
output and a keyed permutation E|< of blocks of size l with a key of size 2k. The 
function Ek is modeled as an ideal cipher. 

Signature Generation. The message is split m = m||m with l — k bits in 
fh. Then h = FI(to) and and x = E^ 1 (to||k) and s = F 1 (x) are computed. The 
signed message is a = m||s. 
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Signature Verification. The signed message is split a = m||s with s £ S. 
Then x = F(s) and h = H(m) and m\\v = Ef,(x) are computed. The signature is 
valid if v = k. 

4.4 RSA-OPSSR and Comparison with Other Schemes 

RSA-OPSSR. With a goal of 80 bits of security and log 2 qs — 48, OPSSR 
can be used for a proven (in the ideal cipher model) deterministic signature 
algorithm with 80 bits of message expansion with a 4096 bits RSA (or whatever 
is the modulus size for 128 bits of RSA security), or for a proven probabilistic 
signature algorithm with 128 bits of message expansion with 48 bits of salt and 
1536 bits RSA (80 bits of RSA security). 

RSA-PSSR. With a goal of 80 bits of security and log 2 qs — 48, PSSR can be 
used for a proven (in the random oracle model) deterministic signature algorithm 
with 160 bits of message expansion with a 4096 bits RSA (or whatever is the 
modulus size for 128 bits of RSA security), or for a proven probabilistic signature 
algorithm with 208 bits of message expansion with 48 bits of salt and 1536 bits 
RSA (80 bits of RSA security). 

PVSSR or Naccache-Stern. With a goal of 80 bits of security and log 2 qs — 
48, They can be used for a proven (in the generic group model) probabilis- 
tic signature algorithm based on 160 bits elliptic curve discrete logarithm and 
achieving 240 to 208 bits of message expansion. 

5 Idealized Security Models and Multi-key Setting 

5.1 The Multi-key Setting 

Proofs of security for digital signature schemes only consider the case where the 
forger is able to ask signature queries for one public key, and has to make a valid 
signature for that public key. 

However, it may be the case that computations done by the forger to attack 
one public key also help to attack another public key. Taking this into consider- 
ation is called the multi-key setting. 

This consideration first appeared in a different form in the description of 
KCDSA for security against parameter manipulation ^31 section 4.2]. 

Since the performance cost for having proofs of security against attacks in 
the multi-key setting is small, we believe that signature schemes should take this 
into account. 

5.2 A Concrete Solution 

To make the proof take the multi-key setting in account, one can make sure that 
all the components completely change if the public key changes. 

For RSA-OPSSR, we have to meet the two following requirements: 
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— the best way to factor a bunch of RSA numbers is to factor separately each 
of them, 

— the function E, in the idealized world, depends on the public key. 

The first requirement does not depend on the padding and may not be met 
by the RSA bijection, because it may be possible to factor a bunch of RSA 
numbers faster than factoring them individually fji . 0 

To mett the second requirement we propose here a straightforward and simple 
improvement of the OPSSR scheme. The only change is that h = H(rh, pk). 

All other signature schemes proven secure in an idealized model can benefit 
from a similar improvement of their security. For example with RSA-PSS, it is 
sufficient to include the public key in the input of both hash functions H and G. 

6 Discussion and Open Problems 

6.1 Large Block Cipher 

OPSSR with 4096 bits RSA needs a block cipher able to encrypt blocks of 512 
bytes. No such block cipher has been widely studied. Using a deterministic mode 
of operation of a 8 or 16 byte block cipher is not a solution because it is not a 
valid implementation of the ideal cipher model. 

Two research directions can be proposed. 

— Is it possible to replace this ideal cipher with random oracles, for example 
with a sufficient number of Feistel rounds? 

— How many rounds of the generalization of Rijndael that is based on 512 
parallel S-boxes and an adequate MDS matrix are needed to have a secure 
cipher? 


6.2 Optimal Trapdoor One-Way Permutations 

Another drawback of using OPSSR with RSA is that even if the message expan- 
sion is small, the minimal length for a signed message is equal to the size l' = [7] 
of the RSA modulus. Optimal trapdoor one-way permutation have minimal in- 
put length and would minimize this value. 

With an optimal trapdoor one-way (non random-self-reducible) permutation, 
i.e. that permutes l bits blocks with k' = l bits of security, (deterministic) OPSSR 
can be applied with l ~ 2k. The minimal length for a signed message is 2k and 
the message expansion is k. 

With an optimal random-self-reducible trapdoor one-way permutation, i.e. 
that permutes l bits blocks with k! = Z/2 bits of security, (deterministic) OPSSR 
can be applied with l = 2k' = 2{k + log 2 qs)- The minimal length for a signed 
message is 2k + 2 log 2 qs and the message expansion is k. Randomized OPSSR 

2 This requirement is not met for schemes with security based on the hardness of the 
discrete logarithm in some fixed integer multiplicative group. The multi-key setting 
needs distinct groups for distinct public keys. 
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can also be applied with #r = log 2 q.s and l = 2k' = 2k. The minimal length for 
a signed message is 2k + log 2 qs and the message expansion is k + log 2 qs ■ 

But the problem of finding an explicit candidate for being an optimal 
(random-self-reducible) trapdoor one-way permutation is old and still unsolved. 

6.3 Avoiding Idealized Security Models 

The other important open problem is how to get rid of the idealized oracle 
models, which are the core of our proofs of security. Signature schemes based on 
chameleon hash functions or similar techniques cannot be an answer, because 
the information needed to commit to some hash has to be in the signed message, 
and will increase the message expansion. 
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A Comparison of OPSSR with Other Paddings 

Many other paddings have been proposed. We show below the description of 
those paddings, when used for private decryption in an asymmetric encryption 
scheme or for public verification in a digital signature scheme. Their output is 
the message m, a random seed r and a validation value v. A non zero value for 
v leads to a rejection. 

All these paddings have security proofs, where the internal components (the 
hash functions G, H and H 7 and the encryption functions E) are modelized as 
random oracles and ideal ciphers. 

They are special implementations of OPSSR where the encryption function 
has a special form, but the security proof for OPSSR does not apply to this 
special form. 

For example with PSS-R, if v is k bits long, then it is easy to find a collision 
H(m||r) = H(ra 7 ||r 7 ) in time 2 fe / 2 . If E is the corresponding encryption function 
for OPSSR (an imbalanced 2-rounds Feistel scheme based on G and H), that 
means that if E _1 (m||r||n) = a\\b is known, then the attacker can deduce that 
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To improve the tightness of the security proof, the scheme needs to be ran- 
domized. The encryption of to is F o E(m||r||/i) and the decryption m||rj|n = 
E _1 o F -1 (c) is rejected if v ^ n. 

OPSSR for Encryption. To be able to encrypt arbitrary-length messages, one 
can use the same technique as Jonsson nu and notice that the whole E(rn||rj|fv) 
does not need to be permuted with F. To encrypt to we compute x\\y = E(m||r||K) 
and the cipher is c = a;||F(y). 


Properties. All properties of PSS described in mu for a dual encryption + 
signature usage of the same public key are also valid for OPSSR. Moreover, the 
security reduction for the encryption scheme is as tight as for OAEP++. This 
can be proved with the technique from HU. 

The main advantage of using OPSSR for encryption rather than these other 
paddings is that the message expansion is minimal, like it is the case for signature 
with OPSSR. The main disadvantage is that the encryption of a message of n 
bits with k bits of security and k bits of expansion needs a random permutation 
of blocks of n + k bits. 
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Abstract. Essentially all known one-time signature schemes can be de- 
scribed as special instances of a general scheme suggested by Bleichen- 
bacher and Maurer based on “graphs of one-way functions”. Bleichen- 
bacher and Maurer thoroughly analyze graph based signatures from a 
combinatorial point of view, studying the graphs that result in the most 
efficient schemes (with respect to various efficiency measures, but focus- 
ing mostly on key generation time). However, they do not give a proof of 
security of their generic construction, and they leave open the problem 
of determining under what assumption security can be formally proved. 
In this paper we analyze graph based signatures from a security point of 
view and give sufficient conditions that allow to prove the security of the 
signature scheme in the standard complexity model (no random oracles) . 
The techniques used to prove the security of graph based one-time sig- 
natures are then applied to the construction of a new class of algebraic 
signature schemes, i.e., schemes where signatures can be combined with 
a restricted set of operations. 


1 Introduction 

One-time signatures JLa,m79j are digital signature schemes where the signer is 
restricted to sign a single document. They are interesting cryptographic primi- 
tives because they allow to solve many important cryptographic problems, and 
at the same time offer substantial efficiency advantages over regular digital sig- 
nature schemes (cf. |RS A 78ISch 9110 M B 8 8IP. M 9 2j ) . especially with respect to 
signing, verification and key generation time. Applications of one time signatures 
include the design of regular signature schemes |Mer87IMer90IBM921DN94j . on- 
line/off-line signatures |E(lM9fij . digital signatures with forward security proper- 
tics [BM99 AROO MMM02 . efficient broadcast authentication protocols PcrOl 
[IRoh99| . network routing protocols |HPT97j . and more. The first one-time signa- 
ture scheme was proposed by Lamport |Lam79| and (in an interactive setting) by 
Rabin |Rah78| . The idea of the basic scheme of Lamport is very simple: given a 
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one-way function /, one selects two random strings Xq, X\ (which constitute the 
secret key), and publishes f(xo),f(xi). Then, a single bit message b £ {0, 1} can 
be signed by revealing xt,. Verification is performed in the obvious way. Notice 
how the signing process is almost instantaneous, while verification only involves 
a single application of a one-way function. Key generation is almost as efficient, 
requiring only two applications of the one-way function. 

Since Lamport’s original proposal, many extensions and improvements have 
been suggested [MM82, Mer82, Mer87, Vau92, BC93, EGM96, BM94, BM96b, 
BM96a, PerOl]. The improvements usually involve iterating the application of 
the one-way function, or revealing multiple values as part of a signature. All these 
schemes (with the exception of Perrig’s) can be described as special instances of a 
general scheme suggested by Bleichenbacher and Maurer JBM94IBM9fihlBM9fia| , 
based on the use of “graphs of one-way functions”. These axe directed acyclic 
graphs or DAGs (see next section for a formal definition) with values associ- 
ated to the vertices computed according to one-way functions associated to the 
edges (see Figure Pi . Messages are signed by revealing the values for some of 
the vertices, and signatures verified using the publicly available one-way func- 
tions. As pointed out in |BM94IBM96 blBM96aj DAG-based one-time signatures 
schemes generalize and have potential advantages over schemes simply based on 
the iterated application of the one-way function (which correspond to graphs 
consisting of a collection of disjoint chains). Unfortunately, one-wayness does 
not seem a sufficiently strong assumption to guarantee the security of the graph 
based one time signature schemes. In fact, JBM94| and subsequent papers only 
study the combinatorial properties of the graphs, e.g., trying to maximize the 
size of the message space that can be signed using graphs with a predetermined 
number of vertices. The issue of determining sufficient security assumptions on 
the “one-way function” /, and proving the security of graph based signatures in 
the standard complexity model is left open in IBM94IBM9tiblBM9bal . 

Our Contributions: In this paper we analyze the security of graph based 
signatures in order to put them on the firm grounds of the standard computa- 
tional complexity security model. We show that under standard assumptions the 
security of graph based signatures can be formally proved. In order to achieve 
provable security, we adopt an approach in the definition of graph based sig- 
natures that is dual to the one used in |BM94) . Namely, instead of associating 
values to the nodes of a graph and functions to the edges, we propose to asso- 
ciate values to the edges and functions to the nodes (Figure El shows an example). 
Then, we prove that if the functions associated to the nodes are regular collision 
resistant (or simply universal one-way) hash functions and one-to-one pseudoran- 
dom generators, then the resulting one-time digital signature scheme is provably 
hard to break. These primitives can be built starting from any one-way permu- 
tation. The regularity and one-to-one properties can be relaxed assuming that 
the hash functions and pseudo-random generator only satisfy pseudorandomness 
and collision resistant properties. 

An important byproduct of this work is the use of a hybrid argument in a 
novel way in our proof. Indeed, in order to prove the security of the signature 
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Fig. 1. DAG where values are associ- 
ated to vertices and functions to edges 
(e.g. V 2 =fl(vi), V 6 =/ 2 (u 2 ), V4,=f 3 (v 3 ,V 2 ), 
« 5 =/ 4 (« 4 )). 



Fig. 2. DAG where values are associated 
to edges and functions to vertices (e.g. 
{V2,V 5 )=fl(vi),V4=f2(v 3 ,V2)). 


scheme, our analysis involves telling two distributions apart. However, a direct 
hybrid argument cannot be used because the number of hybrid distributions may 
be exponential on the security parameter. We show that by carefully setting a 
total order relation on the hybrids, we can combine them into a small (polyno- 
mial) number and the proof goes through. To the best of our knowledge this is 
a novel use of hybrid argument and may be of independent interest. 

Extensions: Graph-based one-time signatures can be extended to instantiate 
a new type of signature scheme referred as algebraic signatures, originally sug- 
gested by Rivest |MR03| . An algebraic signature scheme is a signature scheme 
in which computing signatures of unseen messages is allowed in a restricted 
way. Associated to each algebraic signature scheme there is a set of functions 

0 = {/i,-..,/t} (where each function /) maps messages into messages). The 
fundamental property of algebraic signature schemes is that given signatures 
sig{m \), ..., sig(m r ) anyone can compute signature sig(fi(rn\ , . . . , m r )). Clearly, 
algebraic signatures require the definition of a new notion of unforgeability. 
Namely, an algebraic signature scheme is secure if no adversary can efficiently 
compute signatures of messages that cannot be computed from mi , . . . , m r by ap- 
plying the functions in O. (See Section 0for details). Micali and Rivest | [1VLR()2| . 
and, recently, Bellare and Neven | IBiN02| . presented constructions of transitive 
signatures which allow to sign edges in an undirected graph in such a way that 
computing signatures of the transitive closure of the signed edges does not re- 
quire knowledge of the secret key. Similarly, Johnson et al. |.IIVISW()2| studied 
several cases where the signing algorithm is homomorphic with respect to a 
binary operation f, . 

Building on graph-based one-time signature schemes we give explicit con- 
structions for algebraic signatures on sets which support union and subset op- 
erations and also union and super-intersection operation^. We see graph-based 

1 The super-intersection of sets A and B, denoted AQ B, is the collection of all sets 
S such that AnBCSC JUB. 
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algebraic signatures as an area that deserves further research, since it may lead 
to efficient and useful constructions. 


2 Notation and Basic Definitions 

In this section we review some definitions used throughout the paper. We start by 
recalling some standard definitions about cryptographic primitives and directed 
graphs. 


2.1 Cryptographic Primitives 

We first recall the standard definition of security of signature schemes under 
chosen-message attacks (cf. |GMR88) ) adapted to the case of one-time signature 
schemes. Then, we recall the (also standard) definitions of security of collision- 
resistant one-way hash functions (cf. jEHUZj) and pseudorandom generators 
(cf. |fiM84lYao82|). 

One-Time Signature Scheme: Formally, a signature scheme consists of three 
algorithms £ = (KG, Sig, Vf). Given a security parameter k £ N, the key gener- 
ation algorithm KG(fc) outputs a pair of public and private keys (pk, sk ); Sig is 
the signing algorithm taking as input a key sk and a message m, and returning a 
signature <j; Vf is the verification algorithm taking as input a key pk, a message 
m and a signature a, and returning a boolean decision. The signing algorithm 
may be randomized but the verification algorithm is usually deterministic. It is 
required that valid signatures are always accepted. A one-time signature scheme 
is secure against existential forgery in a one-chosen-message attack if no compu- 
tationally bounded adversary (forger), after obtaining the signature of a single 
message of his choice, can output a (different) message and a corresponding valid 
signature, except with negligible probability. 

Collision-Resistant Hash Functions: Let H be a family of functions. An 
individual element in H is function H: R 2 — »• R, for some fix set R. The family 
R is said to be collision-resistant if, for H randomly chosen in R, any computa- 
tionally bounded adversary (collision-finder) can not find two different messages 
m and rn' that map by H to the same value, except with negligible probability. 
Furthermore, we say H is regular if it satisfies Pr [ H (X) = y : X A R 2 J = 
Pr [ Y = y : Y A i?] for all y £ R, and all H £ U. 

Pseudorandom Generators: Let G.R R 2 be a deterministic function. 
G is a pseudorandom generator if it no computationally bounded adversary 
(distinguisher) can tell apart the output of G(x) on a random input x from a 
truly random value on R 2 with non-negligible probability. Also, a pseudorandom 
generator G is one-to-one if there is no pair of distinct inputs x, x' £ R, that 
produce the same output on G. 
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Fig. 3. Example of a DAG Q. 


Fig. 4. Two cuts Ci C C 2 in Q. 


2.2 Graphs 

A directed graph is a pair (V, E ) where V is a finite set of vertices and E C V x V 
is the set of edges. A path of length £ > 0 from vo to ve in G is a sequence of 
vertices p = (%, . . . , V() such that (t>i_i,Uj) G E for all i = 1 , l. If such a 
path exists, we say that vo is a predecessor of V( and Vi is a successor of vq. 
The sets of predecessors and successors of v are denoted Pred(u) and Succ(v), 
respectively. A set of vertices S is predecessor closed if Pred(u) C S for all v G S. 
Similarly, S is successor closed if Succ(u) C S for all v G S. A cycle is a path 
(vq, ■ ■ ■ , ve) of length £ > 1 such that vq = vg. A directed acyclic graph (DAG) is 
a directed graph with no cycles. 

The indegree of a vertex v is the number of edges (v f , v) G E pointing to v, 
the outdegree is the number of edges (v. v') G E departing from v, and the total 
degree is the stun of the indegree and the outdegree. Vertices with indegree 0 are 
called sources, and vertices with outdegree 0 are called sinks. Vertices that are 
neither sources nor sinks are called internal vertices. For simplicity, in this paper 
we only considers DAGs with a single source v± with outdegree 1, a single sink vt 
with indegree 1, and n > 0 internal nodes with total degree 3. For such graphs, 
there are only two kind of internal vertices: expansion vertices with indegree 1 
and outdegree 2, and compression vertices with indegree 2 and outdegree 1. So, 
the sets of vertices of our graphs can be partitioned as V = Vq U Vh U {u_l, vt}> 
where Vq are the expansion vertices and Vh the compression vertices. We also 
fix a total order relation (Vg, <) that extends the partial order defined over Vq 
by the predecessor relation. 

An example of DAG is depicted in Figure El Vertex 0 is the source, vertex 11 
the sink, Vh = {1,2, 3, 4, 5} are compression vertices, and Vg = {6,7,8,9,10} 
are expansion vertices. 

A cut in a graph (V, E) is a nontrivial partition C = ( S , S) of the vertices 
such that S is predecessor closed (or, equivalently, S is successor closed). The 
set of cuts in a graph ( V,E ) is denoted Cuts(V E), and it forms a partial order 
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where (5,5) C (S', S') if and only if 5 C S' (or, equivalently, 5 S'). Notice 

that since (5,5) is nontrivial (i.e., both 5 and 5 are not empty), and 5,5 are 
predecessor and successor closed, it is always the case that v± £ S and vj £ S. 
Therefore, a cut can be implicitly represented by a single set of vertices 5 with 
the convention that if v± £ S then (5) represents (5, V \ 5), while if tq- € 5 
then (5) represents (V \ 5,5). For any cut G, the component of G containing 
v± (resp. vt) is denoted 5(C) (resp. 5(C)). 

An edge e = (u, v) crosses a cut C = (5, 5) if u £ S and v £ S. The set of 
edges crossing C is denoted Edges(C) = En (5 x 5). We consider graphs where 
each edge is labeled with an element from some set R. The labels associated 
to the edges are not totally independent, but must satisfy certain constraints. 
Let G:R — » R 2 and H: R 2 — > R be two arbitrary functions. (Later on, we will 
instantiate G with a pseudorandom generator and H with a collision resistant 
hash function.) A labeling is a partial function A from E to R, i.e., a function 
A : T — >■ i? where T C E. The domain T of the labeling is denoted dom(A). We say 
that A is consistent (with respect to functions G and H) if values are computed 
according to functions G and H, i.e., 

— for every expansion vertex with incoming edge eo £ dom(A) and outgoing 
edges ei,e 2 £ dom(A), G(A(e 0 )) = (A(ei), A(e 2 )). 

— for every compression vertex with incoming edges eo,ei £ dom(A) and out- 
going edge e 2 £ dom(A), A(e 2 ) = H( A(eo), A(ei)). 

We are interested in labeling functions defined over cuts. A labeled cut is a 
labeling function a such that dom(cr) is the set of edges of a cut, i.e., dom(cr) = 
Edges(G) for some G £ Cuts(F, E). If cr is a labeling with domain Edges(G) 
then we write cr: G. Similarly, we denote as {a: G} the set of all labellings with 
domain Edges(G). Notice that any function a: Edges(G) — > R is consistent, i.e., 
the edges of a cut can be labeled independently. Any labeled cut a: C can be 
uniquely extended to a consistent labeling defined over all edges ending in 5(G). 

Proposition 1. For any directed acyclic graph (V,E), cut C £ Cuts(!/. E) and 
labeling a: Edges(G) — >• R, there exists a unique labeling, denoted [cr], such that 

(1) dom([a}) = En(V x S(C)) 

(2) [cr] is consistent, and 

(3) [a-j(u) = a(v) for all v £ Edges (G). 

Moreover, [a] can be efficiently computed from a. 

Notice that for any two cuts Gi C G 2 , the set Edges(G 2 ) is contained in 
V x5(Gi). Therefore, given a labeled cut oq: Gi and a cut G 2 such that C\ C G 2 , 
we can define a labeled cut cr 2 : G 2 by restricting the domain of [oq] to Edges(G 2 ). 


Definition 1. For any ordered pair of cuts C\ CG 2 , we define a corresponding 
projection operation II (or, simply, IIc 2 when C\ is clear from the context) 
that maps any labeled cut 01 : Gi to a corresponding labeled cut ct 2 : G 2 obtained 
by first extending oq to [oq], and then restricting the domain of [oq] to the set 
Edges (G 2 ). 
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Notice that if C\ = and C 2 = (S 2 , then cr 2 = n C2 {(J\) can be 

computed from o\ with at most | S 2 \ Sj | applications of functions G and H . 

Example 1. Figure E] depicts two example cuts S(C\) = {0,1, 2, 3, 4} with 
Edges (Ci) = {(2, 5), (4, 7), (4, 6), (3, 6), (3, 8)}, and S(C 2 ) = {0,1, 2, 3, 4, 5, 8} 
with Edges(C 2 ) = {(8, 9), (5, 7 ), (4, 7 ), (4, 6), (3, 6)}. As a toy example, consider 
R = Z 10 , H(x,y) = f x+y, and G(x) = f ( x,x ). If we choose {((2, 5), 3), ((4, 7), 9), 
((4, 6), 5), ((3, 6), 2), ((3, 8), 8)} as a labeled cut a\C\ in Q, then it is easy to check 
that the labeled cut defined by 77^' 2 (a) (the consistent extension of Ci onto C 2 ) 
is {((8, 9), 1), ((5, 7 ), 3), ((4, 7 ), 9), ((4, 6), 5), ((3, 6), 2)}. 


3 The GBOTS Construction 

A graph based one-time signature (GBOTS) scheme is specified by a directed 
acyclic graph (V. E), a function y : M. — > Cut s ( V. E ) from a message space A4 to 
the set of cuts of the graph, a length doubling function G : R R 2 and a family 
R of length halving functions H : R 2 — > R. Function y must satisfy the security 
property that if ml , then the cuts y(rri) and y(m') axe incomparable, i.e., 
neither y(m) C y(m!) nor y(rn') C y{m). In particular, function y is injective. 
Examples of such functions are presented in IBlV196blBM96al . 

The secret key of a GBOTS scheme consists of a labeled cut a±: {uj_} and a 
hash function H £ R , both chosen uniformly at random. The corresponding pub- 
lic key is given by function H and the labeled cut ar = i7{„ T }(crj_). A signature 
for a message m € M is a labeled cut a: y(m). Message m is signed using se- 
cret key (H, a±) setting a = n^ m ^(o j_). A message signature pair (m, a: y(m)) 
is verified using public key (H, cry) checking that lJy :T j((i) = uy. A formal 
specification of the GBOTS scheme is given in Figure 0 


Algorithm KG(l fc ) 

H +-R, (uA{(T:{t)i}} 


Algorithm Sig (sfc, m) 
parse sk as (H, cr±) 
cr «- n^ m) (a±) 

return a : y(m) 


Algorithm Vf (pk, m, a) 
parse pk as ( H , cr- r) 

if n {VT} (a) = ut 

return 1 
else return 0 


cry <- n {vr} (a ± ) 

pk 4— (H, cry), sk (H, <rj_) 
return (pk, sk) 


Fig. 5. Key Generation, Signing and Verification algorithms for GBOTS scheme. 


4 The Reduction 

In this section we relate the security of GBOTS to the security of the under- 
lying pseudorandom generator G and family of hash functions R. Formally, we 
show how a forger adversary T that successfully attacks the one-time signature 
scheme, can be used to build efficient procedures to successfully attack G and R 
as follows: an inverter algorithm I H that attempts to invert a randomly chosen 
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function H G H', an inverter algorithm Iq that attempts to invert function G: 
a collision finder algorithm Cr that on input H G 'H attempts to find a col- 
lision to H, and a distinguisher Vq that attempts to tell random strings and 
pseudorandom strings apart. 

None of the adversaries Ig,Xh,Ch,T>g is individually guaranteed to work, 
but we can bound the success probability of the forger T as a function of the 
combined success probabilities of Xg,Xr,Cr,T>g- So, if G, % are cryptograph- 
ically secure, then the GBOTS scheme is secure. In the rest of this section we 
show how to build Xg,Ih,Cr,T>g given black box access to the forger T. The 
success probabilities of these adversaries are analyzed in the following section. 

Adversaries Xq,Xr,Cr, ©g all use the forger T in a specific way, common to 
all four of them. So, we describe this general procedure A first. This procedure 
takes as input a hash function H, a node v, and a labeling a v : Pred(u). The task 
is, given oracle access to the forger algorithm, compute a labeling a' v : Succ(v). 
In other words, A gets as input a labeling of the smallest cut containing v, and 
tries to output a labeling for the biggest cut not containing v (where biggest and 
smallest refer to the C ordering relation). 

Procedure A(H, v, a v ) operates as follows: 

1. Compute cry = I7{„ T }(cr„). 

2. Run T on input pk = (H. <tt). 

3. Let m G M. be the message output by T. If v £ /i(m), then abort. Otherwise, 
compute a m = f7 /t ( rn ) (a v ) and continue to the next step. 

4. Run T on input a m to get a forgery m',a'. We assume, without loss of gener- 
ality, that T always outputs a valid message-signature pair, i.e., n^ VT y(a') = 
err- If T cannot forge a signature, then it outputs ( m,a m ) 

5. If v G pirn’) then abort. Otherwise, compute and output cr' v = -^Succ(u)( c^, )• 

A few remarks follow. First, for any vertex v, Pred(v) C {ut}, so the pro- 
jection operation in step 1 can always be performed. This produces a pair 
pk = (H, ctt) which is similar, but not necessarily identically distributed, to 
a public key. In step 3, if v G pirn), then Pred(u) C p(rn) because cut p{rri) is 
closed. So, unless execution is aborted, Pred(u) C p,(m) and a rn can be com- 
puted from a v . Similarly, in step 5, if execution does not abort, v £ p(rn') and 
p(rn') C Succ(v). So, u' v can be computed from a' . Therefore, A always either 
aborts or it succeeds, i.e., it outputs a cut a' v : Succ(u) such that 77{,. T }(cr(,) = ctt- 
We use A to define Iq, Th, Ch and T>g- 


4.1 Inverting H 

Algorithm X H on input a hash function H and target value y G R, chooses one 
vertex v G Vh at random, and selects a v uniformly at random among all labeled 
cuts cr: Pred(u) such that cr(e) = y, where e is the only edge departing from v. 
Then algorithm X H calls A(H, v, a v ). If A aborts, also Ir aborts. Otherwise, let 
cr' v : Succ(u) be the signature output by A. The output of Ir is a' v (eo): 
where eo, e.\ are the edges pointing to v. 
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We remark that X H may either abort, terminate successfully with a pre- image 
of y under H, or fail, i.e., terminate without aborting, but with an output value 
xo', x\ such that H(x o; xi) ^ y. The distinction between aborting execution and 
failure to invert will be used in the analysis. 


4.2 Inverting G 

The algorithm to invert G is similar to Ir. Xg on input a target value {x\\ xf) G 
R 2 , chooses H £ R uniformly at random, picks one vertex v £ Vg, and selects a v 
uniformly among all labeled cuts cr: Pred(o) such that <r(ei) = Xi and cr(e2) = X2, 
where ei, e2 are the edges departing from v. Then it calls A(H, v. a v ). If A aborts, 
also Iq aborts. Otherwise, let a' v : Succ(v) be the signature output by A. The 
output of Tg is a' v (eo) where eo is the edge pointing to v. As for Ir, inverter Xg 
can either abort, terminate successfully, or fail. 


4.3 Finding Collisions 

In order to describe the collision finder algorithm we need the following lemma. 
The proof is simple and can be seen in the full version of this paper |H VI (12] . 
The proof uses the assumption that G is one-to-one. 

Lemma 1. For any cut C £ Cuts(F, -E), and labellings a : C and a' : C, if a ^ 
a' and IIy VT y{(j) = IIy VT y(cr'), then there exists a compression node v not in C 
with incoming edges eo,ei such that ([<r](eo), [cr] (ex)) and ([cr](eo), [c](ei)) form 
a collision, i.e., H([a](eo), [cr](ei)) = if([cr](eo), [cr](ei)) and [cr] (e^) ^ [cr r ] (e*) 
for some i £ {0, 1}. 

The collision finder Cr takes as input a hash function H, and selects a vertex 
v £ Vg U Vr uniformly at random. Notice that v £ Vg and v £ Vr happen with 
the same probability because Vq and Vr have the same size. The rest of the 
collision finder algorithm is similar to Xq or Xr, depending on whether v £ Vq 
or v £ Vr. 

If v £ Vg, then Cr chooses x £ R uniformly at random, computes (2/1; 2/2) = 
G(x), and picks a v uniformly at random among all labeled cuts a: Pred(v) such 
that cr(ei) = yi and cr(e2) = y-i, where ei,e2 are the edges departing from v. 
Then it calls A(H, v, a v ). If A aborts, also Cr aborts. Otherwise, let o' v : Succ(w) 
be the signature output by A, and consider the cut Succ(w) \ {u}. Notice that 
Succ(u) C Succ(n)\{n} andPred(u) C Succ(n)\{n}. Therefore, we can compute 
two labeling cr = #s UCC (v)\{w}( ff v) an( l a ' = ^Sncc(v)\{v}( a v)- If cr 7^ cr', then 
compute a collision from cr and o' using Lemma IH 

If v £ Vr, then Cr chooses x$,x\ £ R uniformly at random, compute x-2 = 
H(xo,Xi), and pick o v imiformly at random among all labeled cuts cr: Pred('y) 
such that <r(e2) = y-i- It then call A(H. v, a v ). If A aborts, also X H aborts. Other- 
wise, let cr' v : Succ(w) be the signature output by A, and consider the cut Succ(u)\ 
{n}. As before, Succ(n) C Succ(n)\{n} and Pred(n) C Succ(n)\{n}. Therefore, 
we can compute two labeling a = n Succ y v y^ {v y(a v ) and cr' = n S}lcciv) \ {v y(a' v ). 
If a 7^ o', then compute a collision from cr and o' using Lemma [T] 
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4.4 Distinguishing G 

Finally we describe a possible distinguisher for G. On input x\ , x-2 G R 2 , T>g 
picks a random vertex v G V and a hash function H G R. This time vertex 
v is not selected with uniform probability, but with probability proportional 
to \Vg O (Pred(n) \ {u})|. Then Dq chooses a node u G Vq D (Pred(n) \ {n}) 
uniformly at random, and computes a v as follows. Let {cr: U„'<„Pred(tt / )} denote 
the set of all labellings defined over the union of cuts Pred(w') for all expansion 
vertices v! < u in the predecessor set of v but not including v: in other words, it 
denotes the union of cuts Pred(u') such that v! < u, and v! G Vc?n(Pred(u)\{t>}). 
In this union, each labeling satisfies cr(ei); cr(e2) = x \ ; X2, where ei,e2 are the 
edges departing from u. Distinguisher Dq selects a u uniformly at random in 
{u: U u '<„Pred(u')}, and computes a v = ^ 7 pred(-u)(*%)- Notice that for all u' 
predecessor of v, Pred(tt') C Pred(w), and the labeled cut a v can be computed 
from ( 7 U . 

Procedure A is run on input H, v, a v . If A aborts then Vq outputs “random” , 
while if A does not abort T>g outputs “pseudorandom” . 

5 Analysis 

In this section we relate the success probability of the forger algorithm T to the 
success probability of attacks to G and H. The following result states that if 
G is a one-to-one pseudorandom generator and H is a regular collision-resistant 
hash function family then the GBOTS scheme is existentially secure under one- 
chosen-message attack. 

Theorem 1 . Let ( V , E) be a directed acyclic graph, G a one-to-one pseudoran- 
dom generator, and R a regular collision resistant family of hash functions, and 
consider the corresponding GBOTS scheme. Let T be a forger that succeeds with 
probability 6 . Then 6 < {aeD+^c + e G + e H)n where a <n is the average number 
of Vq predecessors of a random vertex in the graph and eG,CH,cc,ZD ore the 
success probabilities (or advantage) of adversaries Iq , Th, Cr, T>g os defined in 
the previous section. 

In order to prove the result, we first show that the success probability of 
the adversaries Iq, Tr and Cr is tightly related to the aborting probability of 
procedure A, when called on randomly chosen inputs. We make this statement 
more precise below. First, we need some notation. 

A labeled cut cr is said to be consistent with ( v , y) £ V x (R 2 U R) if one 
of two cases hold: (a) if v G Vq and y = y-i : y2 € R 2 then cr(ei) = yi and 
cr ( e 2) = 2/2 where e-, and e 2 are the edges departing from v, or (b) if u € Vr 
and y e R then a(e) = y where e is the only edge departing from v. The set of 
all labeled cuts o consistent with (v, y) is denoted {o : Pred(u) y }. In particular, 
if either v £ Vg and y = G(x) for x € R chosen uniformly at random, or 
v G Vr and y = H(x 1; xf) for xr, x? G R 2 chosen uniformly at random, the set 
{a : Pred(n) J/ } is denoted {a: Pred(n) /J -/ G (.)}. 
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Consider the following experiment. First, we choose a vertex v £ Vr U Vg, 
a hash function H £R and a labeled cut a v £ {a: Pred(u) h/G{-)} uniformly at 
random. Then we call procedure A on input (H,v,a v ). (For simplicity’s sake, 
when clear from the context, we use A(-) to denote A(H, v. a v )). Let NoAbort 
denote the event that A does not abort in this experiment. The following lemma 
shows that the combined success probability of adversaries T G , Th and Cr is 
equal to the probability of the event NoAbort. 

Lemma 2. Let ch, eg an d ec the advantages of adversaries Ch, Lg and 1 h- 
Let NoAbort be the event as described above. Then ch + ^g + ^c = Pr [ NoAbort] 

Proof. We analyze the success probability of adversaries Ir, Tg and Ch in turn. 
First, the success probability cr of adversary I H is the probability that, for 
X\\ x -2 £ R 2 and H £ H uniformly chosen at random, H(Tr(H, H {x\: xf)))) = 
H(x:\. xf), that is, that Ir returns a pre-image of H(x;\, xf) for a random domain 
point X\\ X' 2 - For X £ { H. G}, let Prx [ E ] denote the probability of event E when 
H £ LL, v £ Vx and a v £ {a: Pred(v) r/g(-)} are chosen uniformly at random. 
Then 


e H = Pr# [H(x') = H(x),x' <- A{H,v,a v ),x' / abort] 

= (1 - Pr* [H(x') ^ H{x) | A(-) ^ abort]) • Pr H [A(-) ? abort] 

Similarly, for adversary 1q we have 

e G = (1 - Pr G [G(x') ± G(x) | A(-) ^ abort]) • Pr G [A(-) ^ abort] 

Lastly, recall that Adversary Ch is successful if, after running A on a randomly 
chosen v£V H U V g , either G(x) + G(x’) if v £ V G or H(x) f H(x r ) if v £ V H . 
Thus, 

e G = \ • (Pr H [H(x’) ? H(x) \ x’ <— A(-),x' ^ abort] • Pv H [A(-) ^ abort] + 
Pr g[G(x') ± G(x) | A(-) ^ abort] ■ Pr G [A(-) ± abort]) 

Combining the above results and using that \Vr\ = \Vc\ the result follows. 

As a second step toward proving Theorem next lemma shows that the 
success probability of the distinguisher X> G is related to the difference between 
forger’s success probability and the probability that procedure A does not abort 
(in the experiment described in the previous lemma). 

Lemma 3. Let cd and 6 denote the advantage of distinguisher T>g and forger 
T respectively, and let a and NoAbort defined as before. Then 

5 <n - (aen + Pr [ NoAbort]) . 

The following notation will be useful in the proof. For any v £ V, let W (v) = 
Vg D Pred(v) \ {w} denote the set of all expansion vertices which are prede- 
cessors of v. Also, given a vertex v £ V and a vertex u £ W(v), let Pred„(< 
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u ) = U u / <tt) u /£^( l jP re d('u / ) the cut formed by the union over u' < u of all sets 
Pred(u') c Pred(u). (Recall that < is a total order relation over Vg ) Also, let 
{cr: Pred„(< u)} denote the set of all labeled cuts on Pred,, (< it): as before, for 
2/15 2/2 € R 2 , let cr:Pred u (< v) yi - V2 denote the set of all labeled cuts compati- 
ble with (u, yi ; 1/2)- (We stress that the compatibility is with respect to vertex 
u, that is, tr(ei); tj(e 2 ) = 2/15 2/2)- As before, if x £ R is uniformly distributed, 
the set {cr: Pred„(< w)g(x)} is denoted by {criPred,,^ u) G (.)}. Notice that in 
this extended definition, Pred,, (< u) C Pred(u) and therefore a labeled cut for 
Pred('o) can be computed from any labeled cut in {cr: Pred u (< u)}. 

Proof ( Lemma . By definition, ep = Pi — Po, where pi and po denote the 
probability that X> G ( 2 /i 5 2/2) = 1 when x ■/— R,yp 2/2 <— G(x) and the probability 
that T>g (2/1 5 2/2) = 1 when yp. y? £- -ft 2 , respectively. Consider the following two 
experiments, which we denote Exp x and Exp 0 . In the first one, we choose H £ R 
uniformly at random, v £ Vh U Vg with probability proportional to |W(u)|, 
u £ W(v) and a u £ {cr: Pred,, (< u) G (.)} uniformly at random; we then compute 
o v as an extension of o u by a v = i 7 p re d(,;) (°u) and finally call A on input 
( H , v, cr„). The second experiment, Exp 0 , is similar to the previous one, with the 
exception that o u is drawn at random from {Pred,,(< u) yi - V2 } for yp, y 2 <— R 2 . 
Let qi(v',u') and qo(v' . v!) denote the probability procedure A does not abort 
in Exp , and Exp 0 respectively, conditioned on the event that v = v' and u = u' 
are chosen in each experiment. 

Let a = ^ Y^veVhuVg |W( v )I ^ ie average number of expansion vertices of 
a random vertex in the graph. We claim that, 

Pl= ria' Y Y 9i(v,u) and Po = ^ • Y Y ®(v,u)(l) 

vEVhGVg uEW(v) vEVhUVg uEW(v) 

and that for all v 6 Vu U Vg, u £ W(v) U {u} 

q 0 (v,u*) = qi(v,u) 

Y <h(v,v)>S 
vev H uv G 

Y qo(v,v*) = n ■ Pr [ NoAbort 
vEVhWq 

where w* = max, u ,/ < „,(w / ), denotes the biggest vertex in V G smaller than w £ Vq 
and v = min ve y G (v) is the “smallest” expansion vertex in Vg (where “biggest” 
and “smallest” refer to the < ordering relation). 

Before proving these claims, we use them to finish the proof of the lemma. 
Using equations @ 1 E} , we have 

e D = — y {qi(v,v) -q 0 (v,v*)} >—■ (5 - n • Pr [ NoAbort]) 
not , not 

veV H UV G 


(2) 

( 3 ) 

( 4 ) 


which gives the desired result. 
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We now justify the claimed equations (ITEI) by analyzing each them in turn. 
To justify the first part of ©, notice that by definition of pi and standard 
conditioning we have 


pi = Pr ^A{H,v,a v ) ± abort 
a u £Pred„(< u) G(a;) l 


£P G U V h ,u£-W(v),H £h,x£- R, 

Y y qi(v, u) ■ Pr [u | n]-Pr[n] 
vev H uv B uew(v) 


- E 


Pr[v] 

WW\ 


J2 <?lM 

uew(v) 


where v Vg U Vh means vertex v is drawn from set Vg U Vh with probability 
proportional to |W(u)|. Since, for all v £ V, Pr [u] = \W(v)\/{na) Equation © 
holds. The second part of © follows from a similar argument. 

We justify Equation (0 as follows. Fix v £ V H U Vq and u £ W{v) U {i;}. 
Consider experiment Exp 0 , and assume v and u* £ W (v) are the vertices chosen. 
First of all, notice that Pred„(< it*) C Pred,,(< u) because u* < u, and thus, 
a u can be computed from a u + . Second, assume v £ Vg- Since the labeled cut 
<j„* £ a: Pred (! (< u*) is chosen uniformly at random, there is no other expansion 
node in any path from v! < u* and u, and H is regular, the induced labeled cut 
a u = Pfpredtu)^™*) e cr:Pred w (< u ) is such that <7„(ei); a u (e 2 ) = G(x) for 
some x £ R uniformly distributed (ei and e 2 are edges leaving vertex it). The 
same argument when v £ Vh boils down to a u (e) = H(x \ ; x?) for uniformly 
distributed X\\X 2 6 R 2 and e the only leaving edge of u. Thus, a u £ a: Pred„(< 
u) R , and q 0 (v,u*) = qi{v,u). 

To justify Equation ® we notice that when distinguisher Dq chooses u = v, 
the distribution of the public key and signature so computed by A from a u 
follows the same distribution than the forger expects in the one-chosen-message 
attack and, thus, the output of the forger is independent of the choice of v. 

£ «M) = 

veV H UVa 

y Pr [^(m, a m ) = (m', c t'),m ± rri , v £ p(m), v p{m') ] > S 
vEVhUVg 


where the last inequality follows from that, for any m,m' £ Af , if m m! there 
always exists v £ Vh U Vg such that v £ /x(m) but v & otherwise m and 

to' would be comparable. 

It remains to prove Equation ©. This follows from Qo(v, v*) = q-[ (v, v) = 
Pr [ NoAbort | v ] and from vertex v £ Vh U Vg being chosen uniformly at random 
in the experiment that defines the event NoAbort. This concludes the proof of 
the lemma. 

Proof ( Theorem, . Immediate from Lemma El and Lemma 0 
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6 Extensions 


In this section we consider extensions of the basic security results presented in 
the previous sections. The first one concerns relaxing the security assumptions 
about the underlying primitives G, H. The second applies the ideas in our proof 
of security to build provably secure signature schemes with special algebraic 
properties. 

Universal One-Way Hash Functions: The collision-resistance requirement 
on the hash function family % can be relaxed to universal one-wayness as de- 
fined by Naor and Yung [IN Y89j . Recall that universal one-way hash function 
(UOWHF) families are such that it is hard to find a colliding pair x ^ x' such 
that H(x) = H(x') but the adversary must select x before H is given to it. 
We modify our GBOTS construction, so that for each compression vertex v a 
different randomly chosen function H v £ H is used. The security argument in 
this case is modified as follows. In order to compute cr T = II{ VT y(a v ), algorithm 
A(H, v, <t) picks a hash function H v G 'H uniformly at random anew to compute 
the label of each edge leaving a compression vertex with the exception of the 
edge corresponding to v, for which H is used. Thus, adversary Ir needs only 
to pick ahead a random value x G R 2 and, once given a target hash function 
H, to use procedure A to invert H(x). Similarly, for Cr it suffices to guess the 
compression vertex where the collision given by Lemma [0 will be found, and 
use the target hash function H there. Adversaries In and Cr remain the same. 
The remaining security argument does not differ substantially from the one pre- 
sented in Section 0 We point out that regular universal one-way hash functions 
and one-to-one pseudorandom generators can be constructed from any one-way 
permutation INY89ICMK981 . 

Mapping Messages to Edges (or Vertices): In this paper, we associate 
values to edges in the graph and functions to vertices. This approach can be 
seen as dual to the one used in |IBM94[ . which associates values to vertices 
and function to edges. Both approaches are essentially equivalent from a syntax 
viewpoint and in terms of the class of schemes they yield. From a foundational 
viewpoint, we believe that the approach presented here is conceptually simpler. 

Graph Based Algebraic Signature Schemes: Algebraic signature schemes 
are signature schemes in which signatures for (certain) new messages can be pro- 
duced by combining signatures with a restricted set of operations. Since these 
operations do not require knowledge of the secret key, algebraic signatures are 
not signature schemes in the standard interpretation of the term, but they are 
a new cryptographic primitive. They are useful in contexts where possession of 
signatures of certain messages automatically entitles possession of signatures of 
new messages, such as in credential systems. Credentials may be implemented 
as signed documents which specify capabilities (or attributions) to be granted to 
the credential holder. Thus, if implemented with the appropriate algebraic sig- 
nature, the possession of one or more credentials (signatures) will automatically 
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enable the computation of the entitled credentials without the involvement of the 
original signer. Algebraic signatures were originally suggested by Rivest |MR.02| . 

Informally, an algebraic signature scheme consists of three algorithms AS = 
(KG, Sig, Vf) and a two set of operations O = {/i, /2, . . . , f q } and S = {51,52, • ■ • , 
5s}, where each _/} (resp. 5,;) is a function that takes one or more messages (resp. 
signatures) as inputs and produces one message (resp. signature) as output. KG, 
Sig, and Vf are as in any digital signature scheme (see Section I 2 ~TT) . We require 
that if (Si, . . . , 5 t are valid signatures for mi, . . . , mt then (ji{ 5 i . ... At) is a valid 
signature for /,(mi, . . . , rn t ) for all appropriate /, , g, . Notice that signatures so 
generated are subject to existential forgery under chosen message attacks, so a 
new definition of security is required. Let span(0, {mi, . . . , m t }) be the set of all 
messages computable from {mi, . . . ,mt} by applying functions in O on them. 
The security of algebraic signatures is defined in terms of unforgeability against 
chosen-message attacks, where by convention, the forger is deemed successful 
only if it outputs a signature of a message m not in the set span(0, {mi, . . . , m t }). 

Graph-based one-time signatures can be used to build very efficient algebraic 
signatures. Indeed, for practical functions f, , it is possible to build graphs such 
that fi is embedded in the order relation C. That is, if /{(mi . m2) = m3, then 
there exists a labeling a: n{m§) which can be computed from labellings <j \ : /x(mi) 
and £72 : 5 (m2) and it is consistent with them. 

Notice that the proof of security of Section Eland Sectional can be easily mod- 
ified to prove that our (graph-based) algebraic signature scheme AS is secure. 
Indeed, the only technical difference is that the forger T can request multiple 
signatures a m : /z(m). This can be easily factored in by modifying Procedure A 
so each signature a m is computed from o v (or A aborts, if not possible). Since 
the forger T must output ( m',a ') for m! not in span(0, U m p(m)), there must 
exist v G U m n(m) so v £ /u(m') and the argument goes through. The rest of 
the proof is identical and, in particular, adversaries Iq, Ch, 2?g remain the 
same, given black-box access to A. 

Concrete Constructions of Algebraic Signature Schemes: In this 
section we sketch concrete graph constructions that yield algebraic signature 
schemes with respect to (a) union and subset operations, and (b) union and 
super-intersection operations. (Recall that the super-intersection of sets A and 
B, denoted A © B, is the collection of all sets S such that dnB C S C dU B.) 

Let M be the set of all subset of n elements, where we denote such elements as 
to, ■ ■ • , tn-i- Consider the graph shown in Figure 0 (Although the figure shows 
vertices Vi having indegree and outdegree 1, and the vertices v' ± and v' T having 
outdegree and indegree n, respectively, it is easy to cast this graph as one with 
the properties considered in this work. Indeed, it suffices to replace each vertex i>j 
with a small subgraph of 2 compression and 2 expansion vertices, and to connect 
each Vi to both v' ± and v' T by simple tree construction). 

We map every set S into the set of vertices /i(S') = C defined as follows: 
vertices v± and v' ± are in C, and vertices are in C if and only if ti £ S. Notice 
C is a valid cut for any set S. Given a labeled cut a: fi(S) the labeling for any 
C' = fi(S') such that S' C S can be computed by projecting a: //(S') on C' . 
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Fig. 6. DAG for algebraic scheme with operations {U, subset}. 


The union operation is defined similarly, since given labeled cuts a\: and 

ct 2 : 1-1(82) a consistent labeled cut for //(S} U S 2 ) can be computed. 

A algebraic signature scheme for the (U, 0 } operations can be build by using 
two graphs Q\ and G2 each one like the one described above. In this case, given a 
set S, we define the cut on the first graph by using the above shown rule, while 
for the second case we “invert” the condition, and we include the corresponding 
vertices only if tj G S. It is an easy exercise to verify that such mapping allows the 
computation of labeled cuts corresponding to the union and super-intersection 
of two sets S 1 and S 2 , given labeled cuts o-\ : //(.Si) and cr- 2 : /t(S 2 ). 


7 Conclusions 

In this paper, we analyze graph based signatures from a security viewpoint and 
give sufficient conditions, namely the existence of one-way permutations, under 
which the signature scheme is secure in the standard complexity model (no 
random oracles). Additionally, we present a security proof which uses a new 
hybrid argument where the number of hybrid distributions may be exponential. 
We believe this technique is of independent interest. We also propose a new 
paradigm for the construction of algebraic signature schemes, which are new 
useful primitives for applications where controlled “forgeability” of signatures is 
needed, as in credential systems. 
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Abstract . We present novel realizations of the transitive signature prim- 
itive introduced by Micali and Rivest [12], and also provide an answer 
to an open question they raise regarding the security of their RSA based 
scheme. Our schemes provide performance improvements over the scheme 
of [12]. 

Keywords: Signatures, transitive signatures, RSA. 


1 Introduction 

The Concept. The context envisioned by Micali and Rivest m is that of 
dynamically building an authenticated graph, edge by edge. The signer, having 
secret key tsk and public key tpk, can at any time pick a pair i,j of nodes 
and create a signature of {i,j}, thereby adding edge {i,j} to the graph. A 
composability property is required: given a signature of an edge {i,j} and a 
signature of an edge {j, k}, anyone in possession of the public key can create a 
signature of the edge {i,k}. Security asks that this limited class of forgeries be the 
only possible ones. (I.e., without tsk, it should be hard to create a valid signature 
of edge {i,j} unless i, j are connected by a path whose edges have been explicitly 
authenticated by the signer.) Thus the authenticated graph at any point is the 
transitive closure of the graph formed by the edges explicitly authenticated by 
the signer, whence the name of the concept. We refer the reader to Section El for 
formal definitions and to C2J for motivation and potential applications. 
Realizing the Concept. A transitive signature scheme can be trivially re- 
alized by accepting, as a valid signature of {i,j}, any chain of signatures that 
authenticates a sequence of edges forming a path from i to j. Two issues lead 
m to exclude this: the growth in signature size, and the loss of privacy incurred 
by having signatures carry information about their history. The main result of 
H2| is a (non-trivial) transitive signature scheme (we call it the MRTS scheme) 
proven to be (transitively) unforgeable under adaptive chosen-message attack 
(see Section O for formal definitions) assuming that the discrete logarithm prob- 
lem is hard in an underlying prime-order group and assuming security of an 
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underlying standard signature scheme. They also present a natural RSA based 
transitive signature scheme but point out that even though it seems secure, and a 
proof of unforgeability under non-adaptive chosen-message attacks exists, there 
is no known proof of unforgeability under adaptive chosen-message attacks. They 
thereby highlight the fact that in this domain, adaptive attacks might be harder 
to provably protect against than non-adaptive ones. 

In summary, transitive signatures (unforgeable under adaptive chosen-mess- 
age attacks) at this point have just a single realization, namely the M RTS scheme. 
It is standard practice in cryptography to seek new and alternative realizations 
of primitives of potential interest, both to provide firmer theoretical foundations 
for the existence of the primitive by basing it on alternative conjectured hard 
problems and to obtain performance improvements. This paper presents new 
schemes that accomplish both of these objectives, and also provides an answer 
to the question about the RSA scheme. 

The Node Certification Paradigm. It is worth outlining the node certifica- 
tion based paradigm introduced by the M RTS scheme, which will be our starting 
point. The signer’s keys include those of a standard digital signature scheme, and 
the public key includes additional items. (In the MRTS scheme, this is a group 
G of prime order q and a pair of generators of G.) The signer associates to each 
node i in the current graph a node certificate consisting of a public label L(i) 
and a signature of (i, L(i)) under the standard scheme. The signature of an edge 
contains the certificates of its endpoints plus an edge label 5. Verification of the 
signature of an edge involves relating the edge label to the public labels of its 
endpoints as provided in the node certificates and verifying the standard signa- 
tures in the node certificates. Composition involves algebraic manipulation of 
edge labels Q 

The paradigm is useful, but brings an associated cost. Producing a signature 
for an edge can involve computing two normal signatures. The length of an edge 
signature, containing two node certificates each including a standard signature, 
can be large even if the edge labels are small. 

1.1 Transitive Signatures Based on Factoring 

Our first factoring-based transitive signature (FBTS-1) scheme stays within the 
node certification paradigm but, by implementing label algebra via square-roots 
modulo a composite, provides security based on factoring while reducing some 
costs compared to MRTS. 

FBTS-1. The signer has keys for a standard signature scheme, and its public 
key additionally includes a modulus N product of two large primes. The public 
label of a node i is a quadratic residue L(i) e Z* N , and an edge label of edge 
{i,j} is a square root of L(i)L(j)~ l mod N assuming i < j. Composition in- 
volves multiplying edge labels modulo N. We prove that FBTS-1 is unforgeable 

1 Note that the signer is stateful, and once quantities associated to a node are created, 
they are stored and re-used for all edges adjacent to this node. This is important for 
security. See Section 0 for a discussion of how state can be eliminated. 
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under adaptive chosen-message attack, assuming the hardness of factoring the 
underlying modulus, and assuming security of the underlying standard signa- 
ture scheme. The delicate part of this proof is an information-theoretic lemma 
showing that, even under an adaptive chosen-message attack, for any {i,j} not 
in the transitive closure of the current graph, an adversary has zero advantage 
in determining which of the square roots of L(i)L(j) _1 is held by the signer. 

With regard to costs, we are interested in the computational cost of signing 
an edge (in the worst case that both endpoints of the edge are not in the current 
graph); the computational cost of verifying a candidate signature of an edge; 
the computational cost of composing two edge signatures to obtain another; and 
the size of a signature. Since FBTS-1 continues to employ the node certification 
paradigm, it incurs the same costs as M RTS from the use of the standard signa- 
ture scheme. However, as Figure Q] indicates, it is otherwise cheaper than MRTS 
for signing and verifying, reducing the extra cost from cubic (exponentiation) to 
quadratic (a couple of multiplications and an inverse). 

FBTS-2: Eliminating Node Certificates. FBTS-1 is amenable to a modifi- 
cation which eliminates the need for node certificates and thereby removes the 
standard signature scheme, and all its associated costs, from the picture. The 
signer’s public key is a modulus N product of two primes p, q that make up the 
signer’s secret key. The public label of a node i is not chosen by the signer but 
rather specified via the output of a public hash function applied to i. (A diffi- 
culty, addressed in Section 0J is that the hash output might not be a quadratic 
residue.) We prove that FBTS-2 is unforgeable under adaptive chosen-message 
attack, assuming the hardness of factoring the underlying modulus, in a model 
where the hash function is a random oracle f>] . 


| Scheme | Signing cost [Verification cost [Composition cost [signature size) 


MRTS 

2 stand, sigs 

2 exp. in G 

2 stand, verifs 

1 exp. in G 

2 adds in Z 9 

2 stand, sigs 

2 points in G 

2 points in h q 

FBTS-1 

2 stand, sigs 
0(|1V| 2 ) ops 

2 stand, verifs 
0(|1V| 2 ) ops 

0(|1V| 2 ) ops 

2 stand, sigs 

3 points in Z* N 

FBTS-2 

4 sq. roots in h* N 

0(|A| 2 ) ops 

0(|A| 2 ) ops 

1 point in 7L* N 

RSATS-1 

2 stand, sigs 

2 RSA encs 

2 stand, verifs 

1 RSA enc. 

0(|1V| 2 ) ops 

2 stand, sigs 

3 points in 1* N 

RSATS-2 

1 RSA dec. 

1 RSA enc. 

0(|iV| 2 ) ops 

1 point in T* N 


Fig. 1 . Cost comparisons amongst transitive signature schemes. The word “stand.” 
refers to operations of the underlying standard signature scheme, which are eliminated 
for FBTS-2 and RSATS-2. G denotes the group of prime order q used in MRTS, and N 
denotes a modulus product of two primes as used in the other schemes. Abbreviations 
used are: “exp.” for an exponentiation in the group; “RSA enc.” for an RSA encryption; 
“RSA dec.” for an RSA decryption performed given the decryption exponent; “sq. root” 
for a square root modulo N performed using the prime factors of N’; and “ops” for 
the number of elementary bit operations in big-0 notation. 
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As Figured indicates, the major cost savings is elimination of all costs as- 
sociated to the standard scheme. However, signing now requires computation of 
square roots modulo N by the signer based on the prime factorization of N, 
which has cost comparable to an exponentiation modulo N. Thus overall the 
main gain is the reduction in signature size. 

This hash based modification is made possible by the fact that squaring 
modulo a composite is a trapdoor function. The M RTS scheme is not amenable 
to a similar hash-based modification since the discrete exponentiation function 
is not trapdoor over the prime order groups used in 


1.2 Transitive Signatures Based on RSA 

RSATS-1. The RSA-based transitive signature scheme noted in ^2| (that we 
call RSATS-1) employs the node certification paradigm. The signer has keys for 
a standard signature scheme. Its public key additionally includes an RSA modu- 
lus N and encryption exponent e, while its secret key includes the corresponding 
decryption exponent d. The public label of a node i is a point L(i) £ Z* N , and 
the edge label of edge {*, j} is L(i) d L(j)~ d mod N assuming i < j. Composition 
involves multiplying edge labels modulo N. One can prove that RSATS-1 is un- 
forgeable under non-adaptive chosen-message attacks assuming the one-wayness 
of RSA and the security of the underlying standard signature scheme. No adap- 
tive chosen-message attack that succeeds in forgery has been found, but neither 
has it been proven that RSATS-1 is unforgeable under adaptive chosen-message 
attack. 

One might wonder why proofs exist for MRTS and FBTS-1 but remain elusive 
for RSATS-1 in spite of the obvious similarities between these schemes. The 
proofs for MRTS and FBTS-1 exploit the fact that there are multiple valid edge 
labels for any given edge in the graph, and that finding two different edge labels 
implies solving the underlying hard problem. With RSATS-1, the edge label is 
uniquely determined by the two node certificates, and this paradigm fails. 

This situation (namely a scheme that appears to resist both attack and proof) 
is not uncommon in cryptography, and we suggest that it is a manifestation of 
the fact that the security of the scheme is relying on properties possessed by 
RSA but going beyond those captured by the assumption that RSA is one-way. 
Accordingly we seek an alternative, stronger assumption upon which a proof of 
security can be based. 

We prove that RSATS-1 is unforgeable under adaptive chosen-message attacks 
under the assumption that RSA is secure under one-more-inversion (and the 
standard signature scheme is secure). This assumption was introduced by [2J, 
who used it to prove the security of Chaum’s blind signature scheme 0. It was 
also used in [2J to prove security of the GQ identification scheme [ID] against 
impersonation under active attack 

Security under one more inversion considers an adversary given input an 
RSA public key N, e, and two oracles. The challenge oracle takes no inputs and 
returns a random target point in Z* N , chosen anew each time the oracle is invoked. 
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Scheme 

Proven to be unforgeable under adaptive 
chosen-message attack assuming 

RO Model? 

MRTS 

Security of standard signature scheme 

Hardness of discrete logarithm problem in a group of 
prime order 

No 

FBTS-1 

Security of standard signature scheme 

Hardness of factoring 

No 

FBTS-2 

Hardness of factoring 

Yes 

RSATS-1 

Security of standard signature scheme 

RSA is secure against one-more-inversion attack 

No 

RSATS-2 

RSA is secure against one-more-inversion attack 

Yes 


Fig. 2. Provable security attributes of transitive signature schemes. We indicate the 
assumptions under which there is a proof of unforgeability under adaptive chosen- 
message attack, and whether or not the random oracle model is used. 


The inversion oracle given y £ Z* N returns y d mod N where d is the decryption 
exponent corresponding to e. The assumption states that it is computationally 
infeasible for the adversary to output correct inverses of all the target points if 
the number of queries it makes to its inversion oracle is strictly less than the 
number of queries it makes to its challenge oracle. When the adversary makes 
one challenge query and no inversion queries, this reduces to the standard one- 
wayness assumption. 

RSATS-2. The trapdoorness of the RSA function makes RSATS-1 amenable to 
the elimination of node certificates via hashing, based on ideas similar to the 
ones we introduced above. We present RSATS-2, a transitive signature scheme 
that is unforgeable under adaptive chosen-message attacks in the random oracle 
model assuming RSA is secure against one-more-inversion. The public label of a 
node i is not chosen by the signer but rather implicitly specified as the output 
of a hash function applied to i, and RSA decryption is used to compute edge 
labels. Finally we note that RSATS-2 is the only one of the schemes discussed 
here whose signer is naturally stateless. 

Figures [I] and 0 summarize, respectively, the costs and provable-security at- 
tributes of the various schemes we have introduced, and compare them with the 
MRTS scheme. 

1.3 Definitional Contributions 

Regarding the composability property, Micali and Rivest [EJ p. 238] (we have 
modified the notation to be consistent with ours) say: “... if someone sees Al- 
ice’s signatures on edges {i,j} and {j, k} then that someone can easily compute 
a valid signature on edge {i,k} that is indistinguishable from a signature on 
that edge that Alice would have produced herself.” This seems to suggest that 
composition is only required to work when the given signatures were explicitly 
produced by the signer, but in fact we want composition to work even if the given 
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signatures were themselves obtained via composition. Formulating an appropri- 
ate requirement turns out to be more delicate than one might imagine. One could 
require the simple condition that valid signatures (meaning, ones accepted by 
the verification algorithm relative to the signer’s public key) can be composed 
to yield valid signatures. (This would follow IXH, who require a condition that 
implies this.) But this requirement is too strong in the current context. Indeed, 
the MRTS scheme does not meet it, meaning there are valid signatures which, 
when composed, yield an invalid signature. The same is true for our schemes. 

It can be proved that for MRTS and our schemes, finding valid signature 
inputs that make the composition algorithm return an invalid signature is com- 
putationally hard assuming the scheme is secure. But we prefer to not tie correct- 
ness of composition to security. Instead, we formulate correctness of composition 
via a recursive requirement that says that as long as one obtains signatures either 
directly via the signer or by applying the composition operation to signatures 
previously legitimately obtained or generated, then the resulting signature is 
valid. (This would be relatively easy to formulate if the signer was stateless, 
but needs more care due to the fact that the natural formulation of transitive 
signature schemes often results in a stateful signer.) As part of the formaliza- 
tion we provide in Definition [3 we follow HH and require a very strong form of 
the indistinguishability requirement mentioned in the quote above, namely that 
the signature output by the composition algorithm is not just indistinguishable 
from, but identical to, the one the signer would have produced. (As argued in 
m, this guarantees privacy.) The MRTS scheme, as well as all our schemes, 
meet this strong definition. 

1.4 Related Work 

Transitive signatures are one case of a more general concept promulgated by 
Rivest HH in talks, namely that of signature schemes that admit forgery of sig- 
natures derived by some specific operation on previous signatures but resist other 
forgeries. Johnson, Molnar, Song and Wagner HH formalize a notion of homo- 
morphic signature schemes that captures this. Context Extraction Signatures, as 
introduced earlier by P3 , as well as redact able signatures and set-homomorphic 
signatures mi. fall in this framework. A signature scheme that is homomorphic 
with respect to the prefix operation is presented by Chari, Rabin and Rivest jfij . 

2 Definitions 

Notation. We let e denote the empty string and || the concatenation operator on 
strings. We let N = {1, 2, . . .} be the set of positive integers. The notation x <— S 
denotes that x is selected randomly from set S. If A is a possibly randomized 
algorithm then the notation x <— A(aj , a?. . . .) denotes that x is assigned the 

outcome of the experiment of running A on inputs ai, a, 2 , 

Graphs. All graphs in this paper are undirected. A graph G* = (V*,E*) is said 
to be transitively closed if for all nodes i,j,k £ V* such that {i,j} £ E* and 
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{j, k} £ E*, it also holds that {i, k} £ E*: or in other words, edge {i, j} £ E* 
whenever there is a path from i to j in G* . If G = ( V ', E) is a graph, its transitive 
closure is the graph G = (V, E) where {i, j} £ E iff there is a path from i to j in 
G. Note that the transitive closure of any graph G is a transitively closed graph. 
Also note that any transitively closed graph can be partitioned into connected 
components such that each component is a complete graph. 

Transitive Signature Schemes and Their Correctness. A transitive sig- 
nature scheme TS = (TKG, TSign, TVf, Comp) is specified by four polynomial- 
time algorithms, and the functionality is as follows: 

• The randomized key generation algorithm TKG takes input l fc , where k £ N 
is the security parameter, and returns a pair ( tpk , tsk ) consisting of a public 
key and matching secret key. 

• The signing algorithm TSign, which could be stateful or randomized (or 
both), takes input the secret key tsk and nodes i,j £ N, and returns a 
value called an original signature of edge {i,j} relative to tsk. If stateful, it 
maintains state which it updates upon each invocation. 

• The deterministic verification algorithm TVf, given tpk, nodes i,j £ N, and 
a candidate signature a, returns either 1 or 0. In the former case we say 
that cr is a valid signature of edge {i. j} relative to tpk. 

• The deterministic composition algorithm Comp takes tpk, nodes i,j,k £ N 
and values oq, cr 2 to return either a value a or a symbol T to indicate failure. 

The above formulation makes the simplifying assumption that the nodes of the 
graph are positive integers. In practice it is desirable to allow users to name nodes 
via whatever identifiers they choose, but these names can always be encoded as 
integers, so we keep the formulation simple. 

Naturally, it is required that if o is an original signature of edge {i,j} relative 
to tsk then it is a valid signature of {i,j} relative to tpk. 

As discussed in Section fOl formulating a correctness requirement for the 
composition algorithm is more delicate. Micali and Rivest m seem to suggest 
that composition is only required to work when the given signatures were ex- 
plicitly produced by the signer, but in fact we want composition to work even 
if the given signatures were themselves obtained via composition. Furthermore 
the indistinguishability requirement is not formalized in El- 

Definitions taking these issues into account are however provided in HU. 
They ask that whenever the composition algorithm is invoked on valid signa- 
tures (valid means accepted by the verification algorithm relative to the signer’s 
public key) it returns the same signature as the signer would produce. This 
captures indistinguishability in a strong way that guarantees privacy. However, 
one implication of their definition is that whenever the composition algorithm is 
invoked on valid signatures, it returns a valid signature, and this last property 
is not true of known node certification based transitive signature schemes such 
as MRTS, FBTS-1 and RSATS-1. For these schemes, it is possible to construct 
examples of valid signature inputs that, when provided to the composition al- 
gorithm, result in the latter failing (returning _L because it cannot compose) or 
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returning an invalid signature. (Roughly, this is because composition of a sig- 
nature cti of {i,j} with a signature 02 of [j. k} in these schemes requires that 
the public labels of node j as specified in or and <72 be the same. Validity of the 
individual signatures cannot guarantee this.) 

This is not a weakness in the schemes, because in practice composition is 
applied not to arbitrary valid signatures but to ones that are legitimate, the 
latter being recursively defined: a signature is legitimate if it is either obtained 
directly by the signer, or obtained by applying the composition algorithm to 
legitimate signatures. What it points to is that we need to formulate a new 
correctness definition for composition that captures this intuition and results in 
a notion met by the known transitive signature schemes. Roughly, we would like 
a formulation that says that if the composition algorithm is invoked on legitimate 
signatures, then it returns the same signature as the signer would have produced. 
(Here, we are continuing to follow na in capturing indistinguishability by the 
strong requirement that composed signatures are identical to original ones, but 
weakening their requirement by asking that this be true not for all valid signature 
inputs to the composition algorithm, but only for legitimate inputs.) 

The formalization would be relatively simple (the informal description above 
would pretty much be it) if the signing algorithm were stateless, but the natural 
formulation of numerous transitive signature schemes seems to be in terms of a 
stateful signing algorithm. In this case, it is not clear what it means that the 
output of the composition algorithm is the same as that of the signer, since the 
latter’s output depends on its internal state which could be different at different 
times. To obtain a formal definition of correctness that takes into account the 
statefulness of the signing algorithm, we proceed as follows. We associate to 
any algorithm A (deterministic, halting, but not computationally limited) and 
security parameter k £ N the experiment of Figure 0 which provides A with 
oracles 

TSign(tsk, •, •) and Comp(tpk, •, •, •, •, •) , 

where tpk, tsk have been produced by running TKG on input l fc . In this exper- 
iment, the TSign oracle maintains state, and updates this state each time it is 
invoked. It also tosses coins anew at each invocation if it is randomized. 

Definition 1. We say that the transitive signature scheme TS is correct if for 
every (computationally unbounded) algorithm A and every k, the output of the 
experiment of Figure 0 is true with probability zero. 

The experiment computes a boolean Legit which is set to false if A ever makes 
an “illegitimate” query. It also computes a boolean NotOK which is set to true if 
a signature returned by the composition algorithm differs from the original one. 
To win, A must stay legitimate (meaning Legit = true) but violate correctness 
(meaning NotOK = true). The experiment returns true iff A wins. The definition 
requires that this happen with probability zero. 

Security of Transitive Signature Schemes. We recall the notion of secu- 
rity of [T2| . Associated to transitive signature scheme TS = (TKG, TSign, TVf, 


Transitive Signatures Based on Factoring and RSA 405 


( tpk , tsk) £- TKG(l fe ) 

S «— 0 ; Legit •(— true ; NotOK <— false 

Run A with its oracles until it halts, replying to its oracle queries as follows: 

If A makes TSign query i, j then 
If i — j then Legit <— false 
Else 

Let a be the output of the TSign oracle and let S <— S U {({*, j}, cr)} 
If TVf {tpk, i,j, a) = 0 then NotOK «- true 
If A makes Comp query i,j, k, o\ , oi then 

If [({i, j},<n) 0 S OR ({}, k},a 2 ) g S OR i,j,k are not all distinct] then 
Legit <— false 
Else 

Let a be the output of the Comp oracle and let S <— S U {{{i, k}, cr)} 
Let t <— TSign(tsk,i, k) 

If [(cr / r) or TVf (tpk, i, k, cr) = 0] then NotOK true 
When A halts, output (Legit A NotOK) and halt 


Fig. 3. Experiment used to define correctness of the transitive signature scheme TS = 
(TKG, TSign, TVf, Comp). 


Comp), adversary F and security parameter k £ N is an experiment, denoted 
® x PTS, < F la (^) ) 

that returns 1 if and only if F is successful in its attack on the scheme. The 
experiment begins by running TKG on input l k to get keys (tpk, tsk). If we 
are in the random oracle model, it also chooses the appropriate hash functions 
at random. It then runs F, providing this adversary with input tpk and oracle 
access to the function TSign(tsi, -, ■). The oracle is assumed to maintain state 
or toss coins as needed. Eventually, F will output i',j' e N and some value a 1 . 
Let E be the set of all edges (a, b} such that F made oracle query a, b, and let 
V be the set of all integers a such that a is adjacent to some edge in E. We say 
that F wins if a’ is a valid signature of {*',}'} relative to tpk but edge {*',}'} is 
not in the transitive closure G of graph G = ( V , E). The experiment returns 1 if 
F wins and 0 otherwise. The advantage of F in its attack on TS is the function 
Advys'™ a (-) defined for k G N by 

-^■ < ^ v TS, < F la (^) = P r [® x PTS, < F la (^) = l] ) 

the probability being over all the random choices made in the experiment. We 
say that TS is transitively unforgeable under adaptive chosen-message attack if 
the function Adv^g ™ la (-) is negligible for any adversary F whose running time 
is polynomial in the security parameter k. 

RO Model. Some of our schemes will be defined in the random oracle model 
0, which means that the algorithms TSign, TVf, Comp all have oracle access to 
one or more functions which in the correctness and security experiments are as- 
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sumed to be drawn at random from appropriate spaces. Formally, both the exper- 
iment of Figure Eland Exp^' ! ‘p la (fc) are augmented to choose a function mapping 
{0, 1}* to {0, l} fc at random, and the adversary, as well as the TSign,TVf, Comp 
algorithms, then get oracle access to this function. In Definition 0 the proba- 
bility includes the choice of these functions, and so does the probability in the 
definition of Advjs‘™ la (fc). Usually the scheme will need to construct out of the 
given function a function H with suitable range depending on the public key. 
Standard Signature Schemes. Some of our schemes use an underlying stan- 
dard digital signature scheme SDS = (SKG, SSign, SVf), described as usual via its 
polynomial-time key generation, signing and verification algorithms. We use the 
security definition of 0 , where the forger B is given adaptive oracle access to the 
signing algorithm, and its advantage AdvsDs.yfW i 11 breaking SDS is defined 
as the probability that it outputs a valid signature for a message that was not 
one of its previous oracle queries. The scheme SDS is said to be secure against 
forgery under adaptive chosen-message attack if AdvsosffG) is negligible for 
every forger B with running time polynomial in the security parameter k. 

3 A Transitive Signature Scheme Based on Factoring 

Factoring Problem. A modulus generator is a randomized, polynomial-time 
algorithm that on input l k returns a triple ( N,p,q ) where N = pq, 2 fe_1 < 
N < 2 k , and p, q are distinct, odd primes. There are numerous possible modulus 
generators which differ in the structure of the primes chosen or the distribution 
under which they are chosen. We do not restrict the type of generator, but only 
assume that the associated factoring problem is hard. Formally, for any modulus 
generator MG, adversary A and fcgNwe let 

Adv f ^(fc) = Pr [re{p,q} : (N,p,q) A MG(l fe ) ; r A A(k,N) ] . 

We say that factoring is hard relative to MG if the function Advjjjg is neg- 
ligible for every A whose running time is polynomial in k. 

The Scheme. We are given a modulus generator MG and a standard digital 
signature scheme SDS = (SKG, SSign, SVf). We associate to them a transitive 
signature scheme FBTS-1 = (TKG,TSign,TVf, Comp) defined as follows: 

• Given input l fe , the key generation algorithm TKG first runs SKG on input l fe 
to generate a key pair ( spk,ssk ) for the standard signature scheme SDS. It 
then runs the modulus generator MG on input l k to get a triple (N,p, q). It 
outputs tpk = (N, spk) as the public key of the transitive signature scheme 
and tsk = ( N , ssk) as the matching secret key. Note that the primes p, q are 
discarded and in particular not part of the secret key. 

• The signing algorithm TSign maintains state ( V , l. L, E) where V C N is the 
set of all queried nodes, the function t V -¥ Z* N assigns to each node i 6 V 
a secret label £(i) G Z* N , while the function L: V — > Z* N assigns to each node 
i eV a public label L(i), and the function E: V —> {0, 1}* assigns to each 
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node i a standard signature on i\\L(i) under ssk. When invoked on inputs 
tsk,i,j, meaning when asked to produce a signature on edge {i, j}, it does 
the following: 

If j < i then l <— j ; j <— i; i <— l // swap i and j if necessary 
l£i#V then V 4 - V U {*} ; £(i) A Z* N ; L(i) 4- £(i) 2 mod N ; 

S(i) 4— SSign(ssk, *[|Z/(i)) 

If j t V then V 4- V U {j} ; IQ) A Z* N ; L(j) 4— t{j) 2 mod N ; 

S(j) < - SSign (ssk,j\\L(j)) 

S 4— emf)- 1 mod N; Ci<- (i, L(i), E{i)) ; C s 4- (j, L(j), S(j)) 
Return (Ci, Cj , 5 ) as the signature of {i. j}. 

We refer to (l, L{l),E(l)) as a certificate of node l. 

• The verification algorithm TVf, on input tpk = ( N,spk ), nodes i,j and a 
candidate signature a, proceeds as follows: 

If j < i then it— j ; j i\ i <— l // swap i and j if necessary 
Parse a as ( Ci,Cj,5 ), parse Cj as (i. L{, Ef). parse Cj as ( j,Lj,Ej ) 

If SVf(spM||Lj,27j) = 0 or SVf(spk,j\\Lj,Ej) = 0 then return 0 
If Li = 5 2 Lj mod N then return 1 else return 0. 

• The composition algorithm Comp takes nodes i,j,k, a signature ii\ = (Ci, 

C' 2 , ) of {i,j} and a signature 02 = (C^, C'4, ^2) of {j,k}, and proceeds as 

follows: 

Let Ci G {Ci,C 2 } be such that Cj parses as (i, Li, E,)U 
Let Cj G {Ci,C 2 } be such that Cj parses as (j, Lj, Ej) 

If Cj £ {C3, C4} then return T 

Let Ck G {C3, C4} be such that Cfc parses as ( k,Lk,Ek ) 

If j < i < k then S t— ^ mod N ; Return (Cj, Cfc, S) 

If i < j < k then 8 t— 8182 mod N ; Return (Cj, Cfc, 8) 

If i < k < j then <5 mod N ; Return (Cj, Cfc, 8) 

If j < k < i then <5 4 — SiSf 1 mod N ; Retrnn (Cfc, Cj, 8) 

If k < j < i then 8 4— (M 2 mod N ; Retrnn (Cfc, Cj, £) 

If k < i < j then 5 4 — mod N ; Return (Cfc, Ci, 8) 

A proof by induction can be used to show the following. 

Proposition 1. The FBTS-1 transitive signature scheme described above satis- 
fies the correctness requirement of Definition 0 

The proof is provided in j3| . We note that it was to ensure that this correctness 
requirement is met that we have been detailed regarding the specification of 
the composition algorithm above. We point in particular to the fact that the 
composition algorithm checks that the certificate Cj in the given signature of 
{i,j} exactly matches the one in the given signature of {j, k}. This ensures that 

2 This means that we assign the name C» to whichever of Cl, C 2 has its first component 
equal to the integer i. It is understood that if this is not possible then the algorithm 
halts and returns _L. The same is true for the other similar steps that follow. 
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the public labels in these two certificates match, which is important in the proof 
of Proposition [T] 

Eliminating State. The signing algorithm of the FBTS-1 scheme is stateful. 
It is important for composition that the signer associates a single public label to 
node *, and it is important for security that it associates to this a single secret 
label £(i). (Else it would soon give away two different square roots of L(i).) 
The MRTS, FBTS-2 and RSATS-1 schemes also have stateful signing algorithms, 
pointing to the fact that the natural formulation of many transitive signature 
schemes is in terms of a stateful signing algorithm. However, we note here that 
a simple transformation can be used to make the signer stateless, if so desired, 
without loss of security. Namely, let the signer’s secret key include a key K 
specifying an instance Fk from a pseudorandom function family F [Hj , and use 
F K (i) as the underlying coins (randomness) for all choices made by the signer 
related to node i. This enables the signer to recompute quantities as it needs 
rather than store them and yet be consistent, always creating the same quantities 
for a given node. Having pointed this out, however, in the rest of the paper we 
continue to work with stateful signing algorithms, since they are more natural 
and convenient in this context. 

Computational Costs. The cost for the signature algorithm is dominated 
by multiplications and inversions modulo N, for both of which there exist al- 
gorithms quadratic in \N\, and the cost of generating two standard signatures, 
which depends on the choice of underlying standard signature scheme. It is not 
strictly necessary to test membership in Z^, because it is very unlikely that a 
randomly generated value is not coprime with N. Verification takes a couple of 
multiplications mod N and two standard signature verifications. The composi- 
tion of two signatures involves one multiplication and possibly an inversion in 
Z IN- 
SECURITY. Forging a signature for FBTS-1 is trivial if an insecure instance is 
used for the modulus generator MG or the standard signature scheme SDS. The 
following theorem, however, states that the construction of FBTS-1 contains no 
weaknesses other than those induced by the underlying primitives. 

Theorem 1 . Let MG be a modulus generator and let SDS = (SKG, SSign, SVf) 
be a standard digital signature scheme. Let FBTS-1 be the transitive signature 
scheme associated to them as defined above. If the factoring problem associated 
to MG is hard and SDS is secure against forgery under adaptive chosen-message 
attack, then FBTS-1 is transitively unforgeable under adaptive chosen-message 
attack. 

We briefly sketch how a forgery for FBTS-1 can be used to either factor numbers 
generated by MG or break the underlying standard signature scheme SDS, and 
highlight a small but crucial detail for the analysis in a lemma. We refer to 
[3 a for the full proof, that involves relatively standard reduction techniques and 
probability theory. 

Signatures for FBTS-1 can be forged in only two ways: either there is the 
forgery that recycles node certificates from previously issued signatures, or there 
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is the forgery that includes at least one new node certificate. The latter can be 
easily transformed into an attack on SDS: the new node certificate is a successful 
forgery for SDS, because it contains a standard signature on a message that was 
not signed before. A forgery of the first type provides the signer with an edge 
label S' that is valid relative to the same public labels L(i') and L(f) he once 
issued for nodes i' and f himself. (During this analysis, we assume wlog that 
i' < f . If this is not the case, one can swap i! and j'.) Because these were 
computed as the squares of private labels £(i') and 1(f), he now knows two 
square roots of L(i') ■ L(ff [ mod N, namely S' and 8 = l(i') ■ £(j')~ l mod N. 

It is tempting to say that since £(i') and 1(f ) were chosen at random, with 
probability one in two the signer now has two square roots S and S' such that 
S f ±5' mod N, enabling him to factor N. This argument would be correct if 
the forger only knew L(i') and L(f), without having any further information on 
exactly which root the signer knows. However, by signing edges involving nodes 
i! or f , the signer might have given away some additional information about his 
choices for £(f) and 1(f )- It is crucial to the security of the scheme that this 
information doesn’t help the forger in creating a forgery with edge label S' = ±8, 
as this would annihilate the signer’s advantage in factoring N. Fortunately, it 
turns out that the exact value of 5 remains information-theoretically hidden from 
the forger as long as {*',/} is not in the transitive closure of the signed edges. 

We will prove this fact using the information-theoretical argument that for 
every possible square-root 6 of L(i')L(j')~ 1 mod N there are exactly as many 
choices for the signer’s private information i that generate the given forger view 
and have £(f)£(f)~ x = 5 mod N. As the secret labels are chosen uniformly at 
random from Z* N , this implies that the issued signatures don’t leak any useful 
information about which root the signer has in mind. 

We represent the signer’s secret information by a random variable £ dis- 
tributed uniformly over Secrets = { l \ * : V -> Z* N j. The forger’s view consists 
of a function L assigning a square mod N to each node in V, and a function A 
assigning an edge label in Z* N to each edge in E. (We discard the standard dig- 
ital signatures on the node certificates, as they are irrelevant for this analysis.) 
However, not just any pair of functions (L, A) can occur as the forger’s view. We 
say that forger view ( L , A) is consistent with l e Secrets (and vice versa that l 
is consistent with ( L,A )) if and only if 


L(i) m i(if mod N for all i G V 
A(i,j) = £(i)£(j ) _1 mod N for all {i,j} G E , i < j 


( 1 ) 

( 2 ) 


The set of all possible forger views Views can then be defined as the set of all pairs 
(L, A) that are consistent with some £ G Secrets. The actual view of the forger 
is a random variable View distributed over Views as induced by £. The following 
lemma states that for every (L, A) G Views and for every {%’ . j'} £ E, any square 
root 5 of L(i')L(j')~ 1 mod N is equally likely to be S = i(i , )£(j , )~ 1 mod N when 
given only View = ( L,A ), and hence that no forger, on input only View, can 
predict S with higher probability of success than random guessing. The following 
lemma formalizes this idea and is proven in the full version of this paper 0. 
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Lemma 1. For any (L,A) e Views, for any 0 E and for any S £ h* N 

with 5 2 = L{i')L{j')~ A mod N: 


Pr [S = S mod N | View = (L, 4}j m i . | 

4 Eliminating Node Certificates via Hashing 

The Idea. The MRTS and FBTS-1 schemes rely on an underlying standard 
digital signature scheme to convince the verifier that the public label L(i) was 
associated to node i by the signer, and was not generated by some fraudulent 
third party. The disadvantage of this approach is that the signer has to provide 
the verifier with all necessary node certificates, thereby increasing the signature 
size as well as the computational cost for signing and verifying. In this section we 
show how the need for node certificates can be eliminated by specifying the public 
labels L(i) via the output of a hash function on input i. No explicit certification 
is attached to this value. Rather, we will be able to show that the edge label 
provides an “implicit authentication” of the associated node label that suffices 
to be able to prove that the scheme is transitively unforgeable under adaptive 
chosen-message attack assuming the hardness of factoring, in a model where the 
hash function is based on a random oracle. 

The Hash Function. The first thought regarding transforming FBTS-1 based 
on this idea is to simply let L(i) = H(i) where H is some public hash function. 
However, L(i) needs to be a quadratic residue in Z* N , where N is the signer’s 
modulus, and this needs to be verifiable given N alone. In practice H must 
be built via a cryptographic hash function like SHA-1, which returns 160 bits. 
Standard techniques [Jj can be used to build H from h so that it has range Z* N , 
exploiting the fact that Z* N is dense in (0, l} k where 2 fc_1 < N < 2 k and that 
membership in Z* N can be tested in poly(fc) time given N. However, given that 
no polynomial-time algorithm to test quadratic residuosity is known, there is 
no practical way to ensure that H(i) is a quadratic residue while being able to 
verify this given N . 

We could set L(i ) = H(i) 2 mod N but this reveals a square-root of L(i) which 
makes the scheme insecure. Instead, reusing ideas from [Q and m we let the 
signer choose N to be a Blum integer (i.e. N = pq with p and q primes such that 
p = q = 3 mod 4) . Then it is well-known that exactly one square-root (called the 
principal one) of each square is itself a square mod N. As a consequence, every 
square mod N is also a fourth power mod N, and has exactly four fourth roots. 
Now we will choose L(i),£(i) such that L(i) = H(i ) 2 = fyi) 4 mod N where H 
is a hash function with range Z^[+l], the elements of Z* N with Jacobi symbol 
+1. Since the Jacobi symbol can be computed in polynomial time given N, such 
a hash function can be easily built starting from a cryptographic hash function. 
The FBTS-2 Scheme. A modulus generator BG (as defined in Section 0 . is said 
to be a Blum modulus generator if the primes p, q satisfy p = q = 3 (mod 4). 
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We associate to any given Blum modulus generator BG a transitive signature 
scheme FBTS-2 = (TKG, TSign, TVf, Comp) defined as follows: 

• TKG, on input l k , runs BG(l fe ) to obtain ( N,p,q ) and outputs tpk = N 

as the public key and tsk = ( N,p,q ) as the matching secret key. All the 
following algorithms are now assumed to have oracle access to a function 
H N : {0, 1}* Z%[+1]. 

• TSign maintains state (V, t) where V C N is the set of all queried nodes and 
the function t\ V — > Z* Y assigns to each node i £ V a secret label £(i) E Z* N . 
When invoked on inputs tsk, i,j, meaning when asked to produce a signature 
on edge {i,j}, it does the following: 

If j < i then l <— j : j <— i: it— l // swap i and j if necessary 
If i&V then 

FfFU {*} ; L(i) <- H n (i) 2 mod N ; £(i) £- L(i)i mod N 
If j V then 

V ^ V U {j} ; L(j) <- H N (j ) 2 mod N ; l(j) A L(j)l mod N 
6 <- mod N 

where the notation x £- (y) i mod N means that x is chosen at random 
from all fourth roots of y mod N. (These roots can be efficiently computed 
using the prime factors p and q.) Return 5 as the signature on {*, 

• TVf, on input tpk = N, nodes i, j and a signature 6 , first swaps i and j if 
j < i. It returns 1 if H N {i ) 2 = d 4 H N (J ) 2 mod N and returns 0 otherwise. 

• Comp on input nodes i,j,k and signatures 81 , 62 , proceeds as follows: 

If j < i then <— (5) -1 mod N ; If k < j then 63 Sf 1 mod N 
5 <- 5i- 62 mod N 

and outputs 6 as the transitive composition. 

A proof by induction can be used to show the following. 

Proposition 2. The FBTS-2 transitive signature scheme described above satis- 
fies the correctness requirement of Definition 0 

Computational Costs. Since half of the elements in Z* N have Jacobi symbol 
+1, a hash function evaluation requires the computation of two Jacobi symbols 
on average, which takes time quadratic in \N\. Computing square roots, however, 
is cubic in |iV|, so the computation of the fourth roots (by extracting square 
roots twice) will dominate the cost of generating signatures. Verification and 
composition of signatures involve multiplications, inverses and Jacobi symbols 
mod N, all of which are operations quadratic in \N\. 

Security. In j3J, we prove breaking the FBTS-2 scheme equivalent to factoring 
in the random oracle model. This means that in the experiment Exppg'jg^ p(k) 
used to define the advantage of an adversary F, the function H N is assumed to 
be chosen at random from the space of all functions mapping {0, 1}* to ZSrI+l]- 
The result is stated as a theorem below. 
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Theorem 2. Let BG be a Blum modulus generator. Let FBTS-2 be the transitive 
signature scheme as defined above. If the factoring problem associated to BG is 
hard, then FBTS-2 is transitively secure against forgery under adaptive chosen- 
message attack in the random oracle model. 

5 Transitive Signatures Based on RSA 

In 1121 . Micali and Rivest mentioned the following scheme as a simpler scheme 
that can only be proven secure against a static forger, meaning that the forger 
must commit to all of his oracle queries before seeing the responses to any of 
them. While we still don’t know how to prove security against an adaptive forger 
assuming only the one-wayness of RSA (and whether this can be done at all), 
we revisit the scheme here to prove it secure under the assumption that the 
one-more RSA-inversion problem, as described in the introduction, is hard. 

In analogy with the modulus generator of the previous section, we define 
an RSA key generator RG as a randomized, polynomial-time algorithm that on 
input l fc outputs a tuple (AT, e, d) where 2 fe_1 < N <2 k and ed m 1 mod tp(N). 
We do not restrict the type of generator, but only assume that its associated 
one-more RSA-inversion problem is hard. 

The RSATS-1 Scheme. We associate to any RSA key generator RG and to any 
standard digital signature scheme SDS = (SKG, SSign, SVf) a transitive signature 
scheme RSATS-1 = (TKG,TSign,TVf, Comp) defined as follows: 

• TKG runs SKG(l fc ) to generate a key pair ( spk , ssk) for SDS and runs RG(l fc ) 
to generate an RSA key (AT, e, d). It outputs tpk = (AT, e, spk) as the public 
key and tsk = (AT, d, ssk) as the matching secret key. 

• The signing algorithm TSign is identical to that of the FBTS-1 scheme, 
except that now the public label L(i) for node i is computed as L(i) = 
£{i) e mod N. The state information kept, the way of creating node certifi- 
cates and the way of constructing the signature remain unchanged. 

• The verification algorithm TVf is also very similar to that of FBTS-1: the 
only difference is the test on the edge label, which now consists of checking 
that Li = S e Lj mod N. 

• The Comp algorithm is perfectly identical to the composition algorithm of 
FBTS-1. 

The scheme described above can be shown to satisfy the correctness requirement 
of Definition Q] using a proof by induction. 

Computational Costs. Depending on the actual implementation of RSA, its 
computational overhead probably dominates over quadratic-time operations such 
as multiplications and inverses mod N. The generation of a transitive signature 
needs in the worst case two RSA encryptions, and two standard signatures for 
the node certificates. Signature verification takes one RSA encryption and two 
standard signature verifications, while quadratic operations are predominant in 
the composition algorithm. 
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Security of RSATS-1. The security analysis for this scheme against an adap- 
tive forger is very similar to the analysis of FBTS-1, except that this time the 
certificate-recycling type of forgery can be proven equivalent to solving the one- 
more RSA-inversion problem associated to RG. The proof for the following the- 
orem is given in |3|- 

Theorem 3. Let RG be an RSA key generator and let SDS = (SKG, SSign, SVf) 
be a standard digital signature scheme. Let RSATS-1 be the transitive signature 
scheme as defined above. If the one-more RSA-inversion problem associated to 
RG is hard and SDS is secure against forgery under adaptive chosen-message at- 
tack, then RSATS-1 is transitively secure against forgery under adaptive chosen- 
message attack. 

The RSATS-2 Scheme. The idea of replacing node certificates by a suitable 
hash function can also be applied to the RSATS-1 scheme. Since this time the 
public labels are uniformly distributed over the whole of Z* N , we can use a hash 
function H N : N — > Z* N to directly map node i to its public label L(i) = H N (i). 
The unambiguous invertibility of RSA encryption allows for the first completely 
stateless signature algorithm: the signature for edge {i.j} (swapping i and j 
if j < i) is computed as £ = ( H N (i ) ■ H N (j)^ 1 ) mod N. The verification of 
signature 5 for edge {i.j}, i < j, is done by checking that H N (i) = 8 e H N (j) mod 
N. Composition of signatures works as in the FBTS-2 scheme by multiplying 
the (if necessary inverted) edge labels. The proofs of correctness and security (in 
the random oracle model, assuming that the one-more RSA-inversion problem 
associated to RG is hard) are very similar to those given for RSATS-1 and were 
hence omitted. 
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Abstract. This paper addresses how to use public- keys of several dif- 
ferent signature schemes to generate 1-out-of-n signatures. Previously 
known constructions are for either RSA-keys only or DL-type keys only. 
We present a widely applicable method to construct a 1-out-of-n signa- 
ture scheme that allows mixture use of different flavors of keys at the 
same time. The resulting scheme is more efficient than previous schemes 
even if it is used only with a single type of keys. With all DL-type keys, 
it yields shorter signatures than the ones of the previously known scheme 
based on the witness indistinguishable proofs by Cramer, et al. With all 
RSA-type keys, it reduces both computational and storage costs com- 
pared to that of the Ring signatures by Rivest, et al. 


1 Introduction 

A 1-out-of-n signature convinces a verifier that a document is signed by one of 
n possible independent signers without allowing the verifier to identify which 
signer it was. It can be seen as a simple group signature that has no group 
manager who can revoke the identity of the signer in case of emergency. Such a 
signature can also be seen as a kind of non-interactive proof that the signer owns 
a witness (secret-key) that corresponds to one of n commitments (public-keys) or 
theorems without leaking which one it really is. Such a primitive, as a signature 
scheme and/or a proof system, plays a central role in variety of applications 
such as group signatures [815] . designated verifier signatures |EZ}, mix-nets p. 
electronic voting [Kill 1) and so on. 

In 0, Cramer, Damgard and Shoenmakers presented a widely applicable yet 
efficient construction of t-out-of-n witness indistinguishable proofs H3 based on 
secret sharing and public-coin honest verifier zero-knowledge proofs. It can be 
transformed into t-out-of-n signatures via the Fiat-Shamir technique m n ^ 
especially suitable for converting Schnorr signatures and Guillou-Quisquater 
signatures [IEj into t-out-of-n signatures. It also allows to involve RSA signature 
scheme based on a zero-knowledge proof of knowledge about the factors of RSA 
modulus, e.g. |X|£|, but they are less efficient than the Schnorr or the GQ signa- 
tures both in computation and storage. |22| offers more intricate construction of 
t-out-of-n proofs for membership. 

Y. Zheng (Ed.): ASIACRYPT 2002, LNCS 2501, pp. 415 17421 2002. 

© Springer- Verlag Berlin Heidelberg 2002 
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In 22, an efficient construction of 1-out-of-n signatures with RSA public- 
keys was introduced by Rivest, Shamir and Tauman. Called the Ring Signature 
Scheme, it is based on trapdoor one-way permutations (TPs for short) and an 
ideal block cipher that is regarded as a perfectly random permutation. The name 
reflects its unique structure such that a signer who knows at least one witness 
(trapdoor information) can connect the head and tail of a series of n random 
permutations to shape the sequence into a ring. Since the trapdoor is essential 
in their construction, it is only for the keys like RSA’s and the discrete-log keys 
are not supported. 

There are other solutions that are more efficient but work only in non- 
separable models where all public-keys are related. For instance, when public- 
keys of the Schnorr signature scheme are chosen from a common group, one can 
construct an efficient l-out-of-n signature scheme as shown in Appendix A. Such 
non-separable but highly efficient schemes may be useful when used within a 
specific members. In general, however, public-keys are selected independently by 
each signer. Even key-length would differ from user to user. Constructions based 
on 0 and (22 suit a separable model where no underlying group are assumed. 
Hence, they are ’setup-free’; if one utilizes an existing public-key infrastructure, 
the key-setup phase only for this purpose is unnecessary. Furthermore, each key 
can be freely updated whenever each user wishes. 

As introduced in EH) one application of 1-out-of-n signatures is to involve 
somebody else’s public-keys into one’s signature without their agreement. Al- 
though there are pros and cons for such usage, it is surely useful for protect- 
ing privacy. Unfortunately, all above mentioned known schemes have particular 
shortcomings for this purpose; What if one is using a DL type public-key while 
others are using RSA? Generating a new RSA key only for this purpose is not a 
great idea. It is important to have wide freedom for choosing various public-keys 
to involve. 

Our Contribution. We present a widely applicable method of constructing 
1-out-of-n signature schemes that allows to use several flavours of public-keys 
such as these for integer factoring based schemes and discrete-log based schemes 
at the same time. We describe two classes of signature schemes, which we call 
trapdoor-one-way type and three-move type, whose public-keys can be used for 
our construction. 

Our approach also has several advantages even for the use with the same 
kind of keys like the former schemes: 

— When our scheme is used only with public-keys of three-move type signature 
schemes converted from zero-knowledge proof system, it results in a more 
efficient scheme than previously known three-move based construction 2] 
with regard to the size of signatures. For large n, it saves signature length 
about by half. Since this type of schemes includes the discrete-log based 
public-keys, this can be seen as the first construction of a ring signature 
scheme based on the discrete logarithm problem. 

— When our scheme is used only with the trapdoor-one way based public-keys 
such as RSA, it results in a simplified ring signature scheme. By eliminat- 
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ing the use of block cipher and costly domain adjustment from the former 
scheme EU, our scheme offers shorter signature and less computation. In 
particular, 

• The signature size of ours is about 20% less than that of the previous 
construction when RSA with modulus size 1024bits are used. 

• Both size of signature and computation in our signature generation is 
proportional to the average size of the modulus while that of former 
scheme it is proportional to the maximum size of the modulus. Accord- 
ingly, one long modulus does not impact efficiency in our scheme unlike 
the previous scheme. 

We will show several concrete examples following an abstract construction. 
The security is proven in the random oracle model (3) as well as previously known 
schemes. 

The rest of this paper is organized as follows. Section El defines security of 
1-out-of-n signatures. We review two constructions that work in the separable 
model in Section El Section 0 describes our construction in an abstract way. 
Some concrete examples are given in Section El It includes a discrete-log version 
of the ring signature scheme, improved and simplified version of the RSA-based 
ring signatures, and small case of mixture use of RSA and DL type signatures. 
In Section El the efficiency of some concrete instantiations are analyzed in detail. 

2 Security Definitions 

We first of all define 1-out-of-n signature scheme as follows. 

Definition 1. (Syntax). A 1-out-of-n signature scheme, S 1,n , is a triple of 
polynomial-time algorithms, S 1,n = (Q 1,n ,S 1,n ,V 1,n ): 

(sk,vk)<—Q 1,n ( l re ) A probabilistic algorithm that takes security parameter 
n and outputs private key sk and public-key vk. 
crk-Slff(m,L) A (probabilistic) algorithm that takes messagem, and a 
list, say L, of public-keys including the one that corre- 
sponds to sk, outputs signature a. 

1/(R— V^ n (m,a) An algorithm that takes message m and signature a, 
and outputs either 1 or 0 meaning accept and reject, 
respectively. We require that (to, <S^(to, L)) = 1 for 
any message m, any (sk, vk) generated by Q 1,n , and any 
L that includes vk. 

Note that Q l n does not generate L but each key pairs. Therefore, if L includes 
public-keys based on different security parameters, the security of S 1,n is set to 
the smallest one among them. As we will see, L can include several types of 
public-keys all at the same time such as for RSA and Schnorr in a particular 
construction. Q l n may be extended to take a description of the key-type to 
support such variety flavour of key pairs. By \L\, we denote the number of public- 
keys in L hereafter. 
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The security of 1-out-of-n signature schemes has two aspects: Signer ambi- 
guity and Unforgeability. Informally, the signer ambiguity is that it is infeasible 
to identify which signing key is used to generate a signature. 

Definition 2. (Signer Ambiguity). Let L = { vk \ ..... vk n } where each key 
is generated as ( vki,ski ) <— G 1,n { 1 K< ). S 1,n is perfectly signer- ambiguous if, for 
any L, any message m, and any a generated by a <— S*jf{m,L) where sk •<— 
{ski, . . . , sk„,}, given ( L,m,o ), any unbound adversary A outputs i such that 
sk = ski with probability exactly 1/|T|. 

Here, a <— b denotes a uniform choice of an element from set b and its assignment 
to a. It is important to see that unbound adversary can compute all private keys 
from L. In practice, it means that when each public-key is owned by an inde- 
pendent party, they remain uncertain who else has issued a signature involving 
their public-keys. 

Unforgeability of 1-out-of-n signature scheme is defined by naturally extend- 
ing the notion of existential unforgeability against adaptive chosen message at- 
tacks (EUF-CMA) US), which is the strongest security for ordinary signature 
schemes. In chosen message attacks, an adversary is given unbound access to the 
signing oracle and allowed to ask signatures for arbitrary messages. To adapt to 
our situation, we further allow the adversary to choose arbitrary set of public- 
keys as a subset of initially considered set of public-keys every time it access 
to the signing oracle. It is stressed that one can generate 1-out-of-n signatures 
for any message and any list of public-keys as long as it includes one’s own key. 
So the definition of unforgeability should not treat “append-your-own-key-then- 
forge“ activities as a forgery. Formal definition is as follows. 

Definition 3. (Existential Unforgeability against Adaptive Chosen 
Message and Chosen Public-Key Attacks). Let ( vki,ski ) <— Q 1,n (l Ki ) for 
i = 1, . . . , n. Let k = min(Ki, . . . , n n ) and C = {vki, . . . , vk n }. Let SO^ n {mi, Lf) 
be a signing oracle that takes any message m £ {0, 1}* and any Li U C and 
outputs a valid signature Oi that satisfies V^’. n (mj, of = 1. We say S 1,n is ex- 
istentially unforgeable against adaptive chosen message and chosen public-key 
attacks if, for any polynomial-time oracle machine A such that ( L,m,o ) <— 
A so £ its output satisfies V^ n {m,o) = 1 only with negligible probability 

in n. Restriction is that LUC, and {L, m, a) £ {{Li, mi, of)} where {{Li, mi, of} 
is the set of oracle queries and replies between A and SO^ n . 

The above definition is a seamless extension of EUF-CMA since the case of 
n = 1 is equivalent to that. Note that the size of C can be a security parameter 
as well, though it is not our case. It is important to see that the above definition 
states that the list of public-keys must not be altered as well as the message. 
That is, one should not be able to add or remove public-keys associated to given 
signatures. 
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3 Previous Schemes 

3.1 Witness Indistinguishable Signatures [9] 

Here we review the witness indistinguishable signatures from 0 with a concrete 
discrete logarithm setting. Let Pi,qi be large primes. Let {«?*) denote a prime 
subgroup of Z* . generated by gi whose order is qi. Let x-i, y \ be y t = gi Xi mod p,; . 
Here, Xi is the secret-key and ( Vi,Pi,qi,gi ) is the public-key. Let L be a set of 
{UiiPi, qii 9i) for i = 0, . . . ,n— 1. Let H : {0, 1}* — l {0, l} e be a publicly available 
hash function, where l is larger than the largest \qi\. 

A signer who owns secret key Xk generates a signature for message m with 
public-key list L that includes his own public-key, in the following way. 

W-l (Simulation step): For i = 0, . . . , n — 1, i ^ k, select Si,Ci <— Z q . and 
compute Zi = g^y^ mod p^. 

W-2 (Real proof step): Select r k <— Z qk and compute 
Zk = 9k rk mod p k 
c = H(L,m,z 0 ,-■■ ,z n _x) 

Cfc = c © (c 0 ® • • • ® c fc _! © c k+ i © • • ■ © c n _ i) (ffi: bitwise-XOR.) 

Sk = r k -Ck ■ x k mod q k . 

The resulting signature is a = (co, so> • • ■ , c„_ i, s„_i). A (L, to, a) is valid if 

c 0 © • • • © c„_ i = H(L, to, 5o°2/o° mod Po, • • ■ , g S nSiV C nSl mod p„_i). 

The size of <r is n£ + Ya=> o I ( a| bits. L does not necessarily contain whole 
public-keys but some identifiers of the keys. The security can be proven in the 
random oracle model by using the rewinding simulation technique 11412011^1 . 

3.2 Ring Signatures with Trapdoor One-Way Permutations [21] 

Let ft : {0, l} f: — > {0, l} f be a trapdoor one-way permutation where its inverse, 
1 , can be computed only if the trapdoor information is known. Let E,D 
be a symmetric-key encryption and decryption function whose message space is 
{0, 1 }*. Let H be a hash function whose output domain matches to the key-space 
of E, D. 

Given /o, ■ ■ ■ , f n - 1 > tie signer who can compute f k ~ l generates a signature, 
for message to in the following way. 

R-l (Initialization): Compute r„_i = D K (c 0 ) where K = H(m) and Co <- 

{o,i y. 

R-2 (Forward sequence): For i = 0, .... A — 1, compute c i+ \ = E K {ci® fi(si)) 
for Si — {0, 1}^. 

R-3 (Backward sequence): For i = n 1 . . . . , fc + 1, compute r t -i = D K (vi © 
fi(si)) for Si <r- {0,1}^. 

R-4 (Shaping into a ring): Compute s k = f k 1 ( c k ® r k) 
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The resulting signature is (co, so> Si, • • ■ > s n-i)- A signature- message pair is ver- 
ified by computing K = H(m) and Cj+i = Ek{.c% ® fi(si)) for i = 0, . . . , n — 1, 
and accept if Cn = Co holds. 

In practice, each trapdoor permutations will be defined over individual do- 
main such as In such a case, the above scheme need to transform such 
individual functions into common-domain trapdoor permutations. This transfor- 
mation incurs some overhead. The following method is suggested in mi to trans- 
form £ i into fi defined over common-domain {0, 1}* where £ = max{ | A 7 ,; | } + 160. 
Let £i be the RSA encryption function with modulus N t . Let Q and S be positive 
integers such that QN t + S = s and 0 < S < Ni. Define 


Ms) = 


QNi + £i(S) if (Q + 1 )Ni < 2 e 
s otherwise. 


In order for the latter case to happen only with negligible probability, £ should 
be polynomially larger than the size of largest modulus. For instance, if the 
largest modulus is 2048 bits, £ will be 2048 + 160 bits. Accordingly, the resulting 
signature size is 2208(n + 1) bits. This would be a large overhead when other 
moduli are all 1024bits. 

The above ring signature is existentially unforgeable against adaptive chosen 
message attacks in the ideal cipher model where E and D are modeled by truly 
random permutations. 


3.3 Other Related Works 

0 extends the scheme of m to a threshold scheme with the cost of 0(2* logn) 
efficiency for threshold t. |HU considers deniable ring authentication that accepts 
variety of public-keys and a threshold of signers. It however, needs interaction 
between the signer and the verifier. 

4 Our Scheme 

4.1 Type of Keys and Signature Schemes 

This section describes signature schemes whose public-key can be used to our 
construction of 1-out-of-n signature scheme. Let S = (£/ slg . <S slg , V sig ) be a signa- 
ture scheme. We require that underlying signature scheme be secure (existentially 
unforgeable) against adaptive chosen message attacks. For this to be achieved, 
it must be at least hard to compute sk from vk. 

We consider two types of signature schemes which we call Hash-then-One- 
Way type (type-H) and Three-move type (type-T) in the rest of this paper. 

A representative of type-H is the Full-domain RSA signature scheme. Let F 
be a trapdoor one-way function and I be its inverse function. For any c taken 
from appropreate domain, computing s = F v k(c ) is easy but any preimage of s 
cannot be computed in polynomial-time. Trapdoor information sk allows one to 
efficiently compute one of the pre-images of s. The signing function <S slg involves 
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I and a hash function H : {0, 1}* —l A that hashes message m and auxiliary 
information if any. Domain A is assumed to be an abelian group such as modulo 
an RSA composite that depends on the particular detail of the signature scheme 
and the security parameter. H can be a composition of hash functions. The 
verification function V sig of type-H consists of F and H . H is the same as that 
in iS slg . By F, signature a is transformed into an element of A so that the result 
can be compared with the hashed message. In summary, type-H is as follows. 


Hash-and-One-Way Type 
Signing 


Verification 


= 

c = H(m, aux ) 

S = Isk(c) 

Return cr = (s, aux) 


V%m,a) = 

a A (s, aux) (A: parsing) 
c = H{m,aux) 
e = F vk (s) 

Return 1 if c = e. Otherwise, 0. 


The security of type-H requires that computing I s k(c) without sk be in- 
tractable. Precise description is as follows. 


Assumption 1 (Intractability of Computing I) For any probabilistic poly- 
time algorithm A, for ( vk,sk ) <— G sig (l K ), and for c <— A, F vk (A(c,vk)) = c 
happens only with negligible probability in n. Probability is taken over coin flips 
of A, Q s ' e , and the choice of c. 

To prevent A from being successful by random guess, I must not shrink A into 
exponentially small domain. Typically, I is one-to-one with regard to variable c. 
Finally, note that the above intractability assumption for computing I is stronger 
than that of for computing sk only from vk. 

Next we describe type-T schemes. As the name implies, this type of schemes 
are from three-move honest verifier zero-knowledge proofs. Classical Fiat-Shamir 
signature scheme belongs to this type. Here, signing function <S slg involves three 
functions, say A, H, and Z used in each stage of three-move honest verifier zero- 
knowledge proof system. A generates the first-move commitment a and with 
regard to randomness r. H is a hash function (0, 1}* — > A used to generate a 
challenge string c from message m and commitment a. Z is an answer genera- 
tion function that generates an answer, say s, to the challenge. The verification 
function V sig involves two functions V and H.V is a checking predicate of the 
embedded zero-knowledge proof system. It converts s and c into z which is sup- 
posed to equal to a. If it is the case, hashing 2 with message to by using H 
in the same way as in signing procedure outputs e that matches to c. Abstract 
description follows. 
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Three-Move Type 


Signing 

^(m) = 

a^A(sk;r) 
c = H(m, a) 
s = Z(sk , r, c) 
Return a = ( s , c) 


Verification 
V^ g (rn,c7) = 
a4( S ,c) 
z = V(s, c, vk) 
e = H(m, z) 

Return 1 if c = e. Otherwise 0. 


The following property is assumed to type-T schemes. 

Definition 4. (Collision Property). There exists a polynomial-time algorithm 
that computes sk from (c, s, d , s') and vk where (c, s) and (d , s') are two unequal 
valid signatures that correspond to the same (a, m ) given to hash function H. 

This property is frequently used for proving the security of type-T schemes such 
as Schnorr signatures and Modified ElGamal signatures and vast number of their 
variants. 

Regardless of the types, we require that the signature scheme is simulatable 
in a particular model. Intuitively, it must be possible to construct a simulator 
that simulates the signing oracle without the signing key. In many schemes, 
this property is achieved in the random oracle model. Precise definition of this 
property is as follows. 

Definition 5. (Simulatability of S in the Random Oracle Model . A sig- 
nature scheme, S, is (t,e,q s ,qh) -simulatable in the random oracle model if for 
any key-pair (sk, vk) generated by Q sig (l K ) and for any algorithm A that refers 
random oracle H at most qh times and S s ff at most q s times, there exists a 
pair of interactive machines, A 4 sim =(S sm ,H stm ), that interacts with A in such 
a way that the total running time is at most t, and statistical distance of the 
probability distribution of view j^(vk,S s ^ g ,H) and viewj^(vk,M s f™) is at most 2e. 
Here, the probability is taken over all coin flips ofQ s,g , S sig , H, Ai sim , and A. 

The above definition can be generalized to deal with multiple oracles for signa- 
ture schemes that involves multiple hash functions if necessary. Simulatability 
is featured in many practical EUF-CMA signature schemes such as the Schnorr 
signature scheme, and FDH-RSA scheme. Given this property, one can say that 
an event that happens with probability p in the real run also happens with 
probability at least p — e in the simulation. 


4.2 Description 
[Key Generation] 

A signer generates his own key pairs by using the signature generation function 
of a signature scheme of his choice: (sk, vk) <— G s,g ( l K ) 
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[Public-Key Listing] 

Collect public-keys and list them in L. Then, insert vk to the randomly chosen 
position of the list. Let L = { vk^ . . . . , vk n _ i } where vk k = vk for some k 6 
{0, . . . , n — 1}. (Corresponding signing key sk is referred as skk hereafter.) 

For a, b £ A t , let a + b denote the group operation of abelian group A, : and 
a — b be the group operation with inverse of b. These binary operators are used 
without subscripts that denotes each group. Let Hi : {0, 1}* — > A, : be a hash 
function. Domain Ai depends on vki . 


[Signature Generation] 

G-l (Initialization): Compute 


e k 


A k (sk k ; a) ( vk k is type-T), or 
0 {vkk is type-H), 


where a A k and 0 A k (A k denotes an appropriate space of 
randomness defined by the algorithm of A k and sk k ). Then compute 
Cfc+i = H k+ i(L,m,e k ). 

G-2 (Forward sequence): For i = k + 1, n — 1,0, ..., k — 1, compute 



V i (s i ,c i .vk i ) 

Ci + Fi(si, vki) 


{vki is type-T), or 
{vki is type-H), 


where s* is randomly chosen. Then compute Cj + i = H l+ l (L, rri, e, ). 
G-3 (Forming the ring): 




Z k {sk k , a, c fc ) {vk k is type-T), or 
h{0 ~ c/b, sk k ) {vk k is type-H). 


The resulting signature for m and L is (cq, sq, Si, • • • , s„_i). 


[Signature Verification] 

For i=0,...,n— 1, compute 


Vi{si,Ci,vki) 

Ci + Fi{si, vki) 


{vki is type-T), or 
{vki is type-H), 


and then Ci+i=H i+ \{ L,m,ei ) if i ^ n — 1. Accept if Co = H 0 {L,m,e n -i). 
Reject otherwise. 


4.3 Remark on Compatibility of Keys 

Some signature schemes are neither type-T nor type-H. For such schemes, we 
consider compatibility among signature schemes. Signature scheme A is compat- 
ible with scheme B if 1) A’s private and public keys can be used to issue and 
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verify signatures of scheme B, and 2) breaking B (in EUF-CMA sense) implies 
breaking A using the same key. For instance, DSS is not either type but it is 
compatible with the Schnorr signature scheme of type-T. Since breaking the 
Schnorr signature scheme implies that the discrete-log is tractable with regard 
to the key, it implies DSS is broken, too. Thus, DSS keys can be involved in our 
scheme with type-T. 

With regard to type-H schemes, however, special care may be needed. Re- 
member that type-H only shows the ability of computing I 3 k(-) and does not 
necessarily imply possession of sk. Therefore, it is not sufficient that scheme A’s 
keys can be used to scheme B, but it has to be true that ability of computing 
Isk(') °f scheme B is sufficient to generate signatures of A. 

The signature scheme in [2| is a curious scheme that belongs to type-H but 
its keys are also compatible with type-T ones. In such a case, one can select more 
efficient type to involve the keys. 

5 Concrete Examples 

Leaving out the security proof for the abstract scheme (which turns out to be 
similar to the one shown in Section 15. ril , we present concrete examples and their 
security proofs in order to help readers who is familiar with RSA and Schnorr 
signatures grasp the ideas for our construction and the security proofs. 

5.1 All Discrete- log Case 

For i = 0, . . . , n— 1, let ( yi,Pi , q-i-g-i) be DL public-keys as described in Section 
and Hi : (0, 1}* — > Z qi be hash functions. Let L be a list of these public-keys. A 
signer who has private key Xk generates a signature for message to as follows. 

[Signature Generation] 

D-l (Initialization): Select a <— and compute Ck+i = Hk+i(L,m, 
g k a mod p k ). 

D-2 (Forward sequence): For i = k + 1, ... « — 1,0, .... k — 1, select s,- <- Z qi 
and compute c i+1 = H i+1 (L, m, g%*"y!p mod p t ). 

D-3 (Forming the ring): Compute Sk = a — XkCk mod qk . 

The resulting signature for to and L is (co, soi si, • • • } s„_i). 

[Signature Verification] 

For i = 0, ..., n — 1, compute mod p t and then Ci + x=H i+1 {L, to, e*) 

if i ^ n — 1. Accept if Co = H 0 (L, to, e n _i). Reject otherwise. 

Intuitively, this scheme is a ring of the Schnorr signatures where each chal- 
lenge is taken from the previous step. Indeed, it is the Schnorr signature scheme 
when n = 1 . 

Theorem 2. The above all-DL scheme is unconditionally signer- ambiguous. 
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Proof. Observe that all s* are taken randomly from Z q . except for ,s k at the 
closing point. At the closing point, also distributes uniformly over Z qk since 
a is uniformly chosen from Z gfe . Therefore, for fixed ( L,m ), (so, . . . , s n _i) has 
nrJo 1 Qi variation that are equally likely regardless of the closing point. Remain- 
ing Co in a signature is determined uniquely from ( L,m ) and sf s. □ 

Note that the signer ambiguity does not rely on ideal randomness assumption 
on the hash function. 

Next, we claim unforgeability. Let A be a (r, e, q s , cj/J-adversary that requests 
signing oracle at most q s times and accesses random oracles at most qh times in 
total and output forged ( L , to, a) with probability at least e and running time 
at most r. The following theorem can be proven (see Appendix B). 

Theorem 3. If there exists (r, e, q s , qh)-adversary A for public-key set C of size 
n, then there exists (r), p)- simulator si m that uses A as a black-box and computes 
discrete-logarithm Xi of ( yi,Pi,qi,g % ) € £ for at least one i with probability at 
least p within running time q. Here, p < 32? | +4 • r and p > under the 
condition that e > ^ and q > 2 qk,q s where q is the smallest q t included in £. 

We remark that the running time only concerns the number of black-box execu- 
tion of A. Note also that the condition q > 2 q^Qs is not essential and used only 
for simplifying the presentation of the reduction cost so that the impact of each 
variable is comprehensible. If necessary, one can obtain detailed formula without 
the condition. These remarks apply to all the theorems in the rest of this paper. 

5.2 All RSA Case 

For i = 0, . . . , n — 1, let (e t , N t ) be RSA public-keys and Hi : {0, 1}* — > Z Ni be 
hash functions. Let L be a list of these public-keys. A signer who has private 
key dk generates a signature for message m as follows. 

[Signature Generation] 

T-l (Initialization): Select r'/ c Z N k and compute Ck + 1 = Hk+i(L, to, r^). 

T-2 (Forward sequence): For i = k + 1, .., n — 1,0, ..., k — 1, select s* 4-* Z Ni , 
and compute Cj+i = H i+ i(L, to, c* + mod Nf). 

T-3 (Shaping into a ring): Compute Sfc = (r*, — Ck) dk mod N k 

The resulting signature for to and L is (co, 6‘o ; Si , . . . , s n -i)- 

[Signature Verification] 

For i=0, ...,n— 1, compute mod A, and then c i+ i=H i+ 1 (L,m,ri) if 

i / n — 1. Accept if Co = H 0 (L,m,r n -i). Reject, otherwise. 

Unconditional signer-ambiguity can be proven in the same way as that for 
the all DL-based scheme. Unforgeability is also proven in the similar way. We 
wrap random oracles for each hash function in the same way as done in the proof 
for the DL version. The following theorem is proven (see Appendix C). 
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Theorem 4. If there exists (t, e, q s , qh)-adversary A for public-key set C, of size 
n, then there exists (rj, p)-simulator sim that, given ( wo , . . . , w n -\), uses A as a 
black-box, and computes wf* mod N% for some i € {0, . . . , n — 1} with probability 
at least p and running-time within r]. Here, r] « t and p > under the 

condition of N > 2 qf,q s where N is the smallest modulus among all Ni in C. 

5.3 Mixture Case: RSA and Schnorr 

We finally show a small example for involving both RSA and DL keys. For sim- 
plicity, we consider the case n = 2, i.e., only two public-keys are involved. Let L 
be consists of RSA public-key (e, N) and one Schnorr public-key ( y,g,P,q )• Let 
Ho : {0, 1}* — > Zjv and Hi : {0, 1}* — > 7L q be hash functions. A signer who has 
the RSA private key, d, generates a signature for message m as follows. 

[Signature Generation] 

M-l (Initialization): Select f3 <— In and compute c\ = Hi (L, m, 0). 

M-2 (Forward sequence): Select si <— Z q and compute Co = H 0 (L,m, 
g Sl y Cl modp). 

M-3 (Shaping into a ring): Compute so = (fJ — Co) d mod N 
The resulting signature is (co, so, si). 

[Signature Verification] 

Given (L,m,co,so,si), compute c% = Hi(L,m,co + sg m °d N). Accept if 
co = Ho(L,m,g Sl y C1 modp). Reject, otherwise. 

The signature can be shorten by selecting (ci, si, so) as a signature because 
| Co | is the size of RSA modulus typically > 1024 bits while |ci| is the size of q 
typically > 160 bits. 

Unconditional signer-ambiguity can be proven as well as the former examples. 
Regarding unforgeability, we prove the following theorem by following the similar 
way as done in the proof of Theorem 0 and QJ. Sketch of the proof is shown in 
Appendix D. 

Theorem 5. The above scheme is existentially unforgeable against adaptive 
chosen message and chosen public-key attacks. 

6 Efficiency 

We compare our ring signature scheme with the existing schemes using DL, 
ECDL(elliptic curve DL) and RSA trapdoor functions, in terms of the length of 
a signature and the computational cost of signature generation and verification. 
We refer the scheme in Section Id. 1 1 by “WI signatures” and the scheme in Sec- 
tion o with RSA trapdoor function by “RSA ring signatures” , hereafter. Let 
n be the number of signers of ring signature. 

TableQ]shows the comparison in terms of the length of signature. Here, L(DL) 
is the length of exponent of DL signature, and is typically 160-bit. L(RSA) is 
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Table 1. The table shows the length of signature and its typical value (bit). 



Length of signature 

Typical value 

WI signature 

(L(DL) + L(DL)) x n 

320 X n 

Ours with DL 

L( DL) + L(DL) x n 

160 + 160 x n 

Ours with ECDL 

L( EC) + L(EC) x n 

160 + 160 x n 

RSA ring signature 

(L(RSA) + 160) + (L(RSA) + 160) x n 

1184+ 1184 xn 

Ours with RSA 

L( RSA) + L(RSA) x n 

1024 + 1024 x n 


Table 2. The table shows the computational costs of signature generation and verifi- 
cation and its typical value (arithmetic operation). 



Costs of generation 

Typical value 

WI signature 

T(DL) x 5/4 xn 

2.0 x 10® x n 

Ours with DL 

T( DL) x 5/4 x n 

2.0 x 10® x n 

Ours with ECDL 

T( EC) x 5/4 x n 

7.1 X 10 7 X n 

RSA ring signature 

T(RSA _1 ) +T(RSA) xn 

1.0 x 10 9 + 1.6 x 10 7 x n 

Ours with RSA 

T(RSA _1 ) + T(RSA) x n 

1.0 x 10 9 + 1.6 x 10 7 x n 


Costs of verification 

Typical value 

WI signature 

T(DL) x 5/4 x n 

2.0 X 10® X n 

Ours with DL 

T(DL) x 5/4 x n 

2.0 X 10® X n 

Ours with ECDL 

T(EC) x 5/4 x n 

7.1 x 10 7 x n 

RSA ring signature 

T(RSA) x n 

1.6 x 10 7 x n 

Ours with RSA 

T(RSA) x n 

1.6 X 10 7 X n 


the length of modulus of RSA signature, and is typically 1024-bit. L(EC) is the 
length of the size of cyclic subgroup in elliptic curve, and is typically 160-bit. 
From the table, we can see that the length of our signature with DL is one half 
of WI signature for large n, and that the length of our signature with RSA is 
0.8 of RSA ring signature. 

Table 121 shows the comparison in terms of the computational costs of signa- 
ture generation and verification. Here, T(DL), T(EC), T(RSA~ 1 ) and T(RSA) 
are the computational costs of modular exponentiation, scalar multiplication 
on elliptic curve, inverse RSA function and RSA function, respectively. Typ- 
ically, T(DL) = T((1024)( 160 )), T(EC) = T((160) • (EC160)), T(RSA“ 1 ) = 
T((1024)( 1024 )) and T(RSA) = T((1024)( 16 )). Here, T((x)^) is the number 
of (single precision) arithmetic operation of exponentiation with rc-bit modulus 
and y-bit exponent, and is estimated x 2 x y. Exponentiation with y-bit exponent 
needs y rc-bit multiplications, using binary method and the fact costs of square 
is half of multiplication. x-bit multiplication needs x 2 (single precision) arith- 
metic operations. T((y) ■ ( ECx )) is the number of (single precision) arithmetic 
operation of scalar multiplication on elliptic curve with x-bit base field and y-bit 
scalar, and is estimated x 2 X 14 x y. Scalar multiplication on elliptic curve with 
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y-bit scalar needs y additions of points, using binary method and the fact costs 
of doubling is half of costs of addition. Addition of points with z-bit base field 
needs 14 rr-bit multiplications, using Jacobian coordinate, rr-bit multiplication 
needs x 2 (single precision) arithmetic operations. Hence, we have 

T((1024) (1024) ) = 1024 2 x 1024 « 1.07 x 10 9 , 

T((1024)( 160) ) = 1024 2 x 160 w 1.67 x 10 s , 

T((1024) (16) ) = 1024 2 x 16 w 1.67 x 10 7 , 

T((160) • (EC160)) = 160 2 x 14 x 160 w 5.73 x 10 7 . 

The computational costs of exponentiation with two basis is 5/4 of expo- 
nentiation with single basis, using two basis binary method. From the table, we 
can see that the computational costs of our signature with DL is as same as 
WI signature, and that the computational costs of our signature with RSA is as 
same as RSA ring signature. 

Notice that in known schemes the length and the computational costs of 
signature is proportional to the maximum of the length of DL exponent / RSA 
modulus. In our scheme, the length and the computational costs of signature is 
proportional to the average of the length of DL exponent / RSA modulus, since 
our scheme need not to round up the length to the maximum length. 
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Appendix A 

The following an efficient 1-out-of-n signature scheme in non-separable model 
based on the representation problem. 

Let p, q be large primes. Let (g) denote a prime subgroup in Z* generated by 
g whose order is q. Let a y, be y, = g Xi mod p. Here x, : is the secret-key and 
{yi, p, q, g) is the public-key. All member use common p, q, g in the non-separable 
model. So only y, is different in public-keys for each member. Let L be a set of 
(yi,p, y, g) for * = 1, ... , n. Let H : { 0 , 1}* — > Z g be a hash function. 

A signer who owns secret key Xk generates a signature for message m with 
public-key list L that includes jy, , in the following way. 
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S-l Select a,Ci <— Z q for i = 0, ...,n — 1, I ^ k , and compute z = 

9 a nr=o ,<#k V? mod P- 
S-2 Compute 

c=H(L,m,z) 

Ck = C - (co + C k 1 + Cfe+1 H +• c n i) mod q 

s = a — Ck ■ Xk mod q. 

The resulting signature is cr = ( s , Co, . . . , c„_i). (L, m, cr) is valid if 
^ Cj = H(L , m, ff s i/o 0 ' ' ' 2/n-l 1 ) mod 9- 


The security of this scheme can also be reduced to the discrete-log problem 
by rewinding simulation. But the reduction is quite costly because we may have 
to have at most n successful rewinding simulations to extract only one secret-key 
(in this worst case, all the secret-keys are extracted at once). 


Appendix B ( Proof of Theorem |3]) 

To get the black-box A run properly, sim simulates the random oracles that 
corresponds to each hash function and the signing oracle. For simplicity, the 
random oracles are treated as a single oracle that takes Qj = (i,Lj, rrij, rj) 
as j - th query and returns a random value that corresponds to Hi(Lj,m,j,rj) 
maintaining consistency against duplicated queries. The signing oracle receives 
the j-th query, say Rj = to sign. To avoid complicated suffixes, we 

describe a public-key with a suffix relative to Lj in the current context. So, 
3/o G Lj and yo € Ljt could differ. We hope that this should cause no confusion. 
The corresponding answer is simulated in the following way. 

D’-l: Choose Co <— Z qo . 

D’-2: For i = 0, . . ., \Lj\ — 1, select s, <— Z Qi , compute e* = mod p,;, 

and then compute Cj+i = H l+ i{L,j. rrij, e t ) if i \Lj\ — 1. 

D’-3: Assign co to the value of Ho(Lj, rrij, 

The simulation fails if Step D’-3 causes inconsistency in H 0 . It happens with 
probability at most qh/q where q is the smallest Qi in C. Hence, the simulation 
is successful q s times with probability at least (1 — qh/q) q “ > 1 — qhQs/Q- 

Let G, fl be the random tapes given to the signing oracle and A. The success 
probability of A is taken over the space defined by 0, fl and random oracle H. 
Let S be a set of (0, fl, H ) with which A is successful in forgery. From the 
definition of e, we have Pr[(<9, fl,H) e S\ > e. Let (L,m,co,s 0 , - ■ ■ be 

a forged signature A outputs. Here n' = \L\. Define r, = gi Si yi Ci mod p, and 
Cj+i = H i+ \ (L, m, Vi) for i = 0, . . . , n! — 1 (indices are taken modulo n'). Then, 
with probability at least 1 — 1 /q, there exist queries Qj = (i + 1 , L, m, rf) for all 
i = 0, . . . , n' — 1 due to the ideal randomness of H. Let S' be a subset of S where 
(0, fl, H) £ S' leads A to output a signature that has corresponding queries 
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as above with successfully simulated signing oracle. Then, Pr[(0, 17 ,H) G <S'] > 
(1 - q h q s /q){ 1 - 1 /q)e. Let e' = (1 - q h q s /q)(l ~ 1 /q)e. 

Since the queries form a ring, there exists at least one index, say k, in 
{0, . . . , n' — 1} such that Q u = (k + 1, L, to, r k ) and Q v = ( k , L, m, r k ~ i) satisfy 
u<v. Namely, k is in between the gap of query order. We call such (u, v) a gap 
index. Note that u = v happens only if n! = 1, which means that resulting L 
contains only one public-key. If there are two or more gap indices with regard to 
a signature, only the smallest one is considered. We classify S' by the gap indices. 
Let S' u v denote a class where (0, 17, H) G S' uv yields gap indices (u,v). There 
are at most ( ? 2 ) + QJ = qh(qh + 1) /2 classes. By invoking A with randomly 
chosen (0, 17, H) at most t,\ = 1/e' times, sim finds at least one (0, 17, H) G S' u v 
for some gap index (u, v) with probability 1 — exp(— 1) >3/5. 

We consider a set of gap indices that is likely to appear when (0, 17, H) is cho- 
sen randomly. Let GI = {(«,«) | |S£ j „|/|S'l > qfc( ^ +1) } and B = {(0, Q,H) G 
S' v v \(u, v) G GI}. Then, it holds that Pr[£?|<S'] > Due to this fact known as 
heavy-row lemma, (0,17,77) that yields the successful run of A is in B with 
probability at least 1/2. 

Split H as ( H~,Ck ) where H~ corresponds to the answers to all queries 
except for Q v answered with Ck- Due to the heavy-row lemma, again, with prob- 
ability at least 1/2, (0, 17, H~) satisfies Pr c /J(0, 17 ,H~ ,d k ) G > 2 q h (q h + 1 ) ~ 
Since we assume e > and q > 2quq s , it holds that 2 q h (q h +\) > 1 /<?■ 

By running A up to t 2 = ( 2qh (q h +r) ~ |) _1 times with (0, 17, H~) obtained 
in the first successful run and randomly chosen c' fc ( ^ Cfe), then, with probability 
at least 3/5, sim finds at least one d k such that (0, f2,H~,d k ) G Since Q u 
happens before Q v , rq is unchanged for both runs. Therefore, sim can compute 
the discrete-log, x k = (s k — s' k )/(c' k — c k ) mod q k . Overall success probability is 

^3113 9 

M > 5 ' 2 ' 2 ‘ 5 ~ 100 ’ 
and the number of invocation of A is 

ti+t 2 < — + ^ + 1 ) < 4 = 

e’ e' e e e 

Appendix C ( Proof of Theorem^ 

The first half of the proof is the same as the one for Theorem 0 (the simulation 
of the singing oracle is different but can be done only with trivial changes). That 
is, there exists class S' such that (0, 17, H) G S' results in a successful simulation 
of the signing oracle and the forged signature has corresponding queries to the 
random oracle. Accordingly, Pr[(0, 17, H) G <S'] > (1 — qhq s /N)(l — 1/N)e. 

At the beginning of the simulation, sim selects a pair of index ( u , v) randomly 
so that 1 < u < v < q h . With probability 2/q k {qh + 1), the guess is correct and 
sim receives Q u = (k+ 1, L, m, r k ) and Q v = (fc, L, m, r k -i) so that ( u , v) is a gap 
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index. Let k! be an index such that vky £ L corresponds to vk^ £ L. When query 
Q v is made (u-th query has been already made by this moment), sim returns 
Cfc = rk~ Wk' mod Nf. as a value of to, rk- 1 ). If A is successful in forgery, 

it outputs Sfc that satisfies r*, = c*, + mod Nk- Since r*, = c*, + wy mod Nk, 
we obtain Sk as the inverse of Wk> with regard to the public-key vkk< in C. 

Overall success probability of sim is 




(l-q h q s /N)(l-l/N) 

qh(qh + 1)/2 


4 qh 2 £ " 


The rightmost term assumes N > 2qhq a ■ The running time rj is almost the same 
as r as sim runs A only once and the simulation cost for the signing oracle and 
the random oracle are assumed to be sufficiently smaller than r. 


Appendix D ( Proof of Theorem 0) 

We show that if there exists (r, e, q s . (fo)-adversary A for a set of public-key, L, 
of size n, then there exists (t', e')-simulator sim such that using A as a black- 
box, it computes w d mod N for w N with probability greater than 3/5 and 
running time no more than ™ r, or computes the discrete-logarithm of y with 
probability greater than ^ and running time no more than 32 s | + 4 r. 

Let 7 be min(g, N). We assume that 7 > 2 qhq s and e > 8q q h . 

The proof is by combining the proofs for Theorem El and El Let c/ = (1 

qhq s /\i\){ 1 - i/|t |)e. 

Simulator sim guesses (u,v) and runs A. If Q v = (0, L. m. r-i ) for some L. m 
and n, sim checks if Q u = (1, L, rn, ro) for the same L,m and some r'o . If it is 
the case, sim chooses t <— N and returns Co = ro — wt e mod N as the value of 
Ho(L,m,ri). If .4. succeeds and (u. v) forms agap, it holds that Sk = (ro — co) d = 
(wt e ) d = w d t mod N. Accordingly, Sk/t = w d mod N. In this case, simulation 
ends here successfully. Such a successful case happens with probability greater 
than 3/5 while repeating the simulation at most { ^ < 

(this is straightforward from the proof of Theorem 0 in Appendix C). 

For all other cases, sim proceeds as follows. Regardless of the initial guess of 
(u, v), sim completes an execution of A. If A succeeds and the resulting gap index, 
say ( u v'), corresponds to the queries Q u > = (0, L, m, rq) and Q v > = (1, L, m, ro), 
namely, if the resulting gap index comes across the discrete- log key, sim proceeds 
to rewinding simulation with the forking point v' in the same way as done in the 
proof of Theorem El As a result, sim gets a collision and computes the discrete- 
log, x. The success probability and the running time for this case is the same as 
that in the proof of Theorem 0 
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Abstract. A revocation or a broadcast encryption technology allows a 
sender to transmit information securely over a broadcast channel to a 
select group of receivers excluding some revoked receivers. In this paper 
we propose two efficient revocation methods which are suitable for state- 
less receivers. The proposed methods use an o-ary key tree structure and 
require at most r ( ^ + l) ciphertexts broadcast. Our Method 1 
requires only one key to be stored and O f 2 i'og a A ) computational over- 
head at a receiver, whereas Method 2 requires keys and O (2“) 

computational overhead, where N and r respectively denote the total 
number of receivers and the number of revoked receivers. Our methods 
are very efficient with respect to the number of keys each receiver stores, 
especially Method 1 minimizes it. 


1 Introduction 

Recent advances in technology give us a lot of ways to distribute digital data 
without loss of quality. We can easily use, modify and exchange many kinds 
of digital data such as digital pictures or music. However, those advances have 
caused serious challenges related to copyright protection or digital rights man- 
agement issues. Though copyright-protected data (e. g. music, movies or TV pro- 
grams) should be treated under conditions to which its copyright holder agrees, 
various kinds of such content can be recorded, copied or exchanged in an ille- 
gal manner. One of the technologies that are being used to protect such data 
is called revocation scheme or broadcast encryption scheme. This technology al- 
lows a sender to transmit information securely over a broadcast channel to a 
select group of receivers. The sender may exclude some receivers (called revoked 
receivers ) and enable only legitimate receivers to obtain the transmitted infor- 
mation. 

Revocation schemes are used in many real world applications. For example, 
in a pay-TV system, users can watch TV programs if they subscribe to the 
service and pay the fee. If some users do not pay for the programs, they might 
be excluded, so that they will not be able to watch the program the following 
month even if they own an appropriate receiver. Other examples are CPPM 
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and CPRM 0 which are systems protecting copyrighted content stored on pre- 
recorded or recordable media from unauthorized copying. In these systems only 
compliant receivers (i. e. players or recorders) that are manufactured under a 
certain license contract can retrieve secret information (called session key ) from 
a medium using their receiver keys. The session key is required for decryption or 
encryption of the content file stored on the medium. If it is found that there is 
a receiver which does not obey the license contract this receiver will be revoked, 
and as a result it will no longer be able to retrieve the session keys distributed 
after the revocation. 

For general receivers (e. g. consumer electronics devices), the easiest way 
to store secret information such as receiver keys is storing it as part of the 
initial configuration at manufacturing time. Giving a mechanism to receivers for 
changing keys they store increases the production cost and might also weaken 
their security. Therefore it is preferable in most cases to assume that receivers can 
not change their keys. Such receivers are called stateless receivers. As described 
in typical examples of stateless receivers are off-line devices, such as CD 
or DVD players. In this paper we propose two efficient revocation methods that 
are suitable for stateless receivers. 

The organization of this paper is as follows. We introduce related work and 
contributions of this paper in the rest of this section. SectionO describes two re- 
vocation methods proposed in this paper. We discuss the security of our methods 
in section 0 some techniques and the properties of those methods in section 21 
We present a modification of CPPM and CPRM in Section 0 Our results in this 
paper are summarized in section El 

1.1 Related Work 

As described in the previous section, a revocation scheme or broadcast encryp- 
tion scheme allows a sender to transmit information securely over a broadcast 
channel to a select group of receivers. Let N and r be the total number of re- 
ceivers in the system and the number of revoked receivers, respectively. A naive 
method to implement this scheme is as follows. Assume each receiver owns a 
unique key. A sender broadcasts secret information encrypted under each of the 
unique keys owned by the non-r evoked receivers. This method requires each re- 
ceiver to store only one key, but the sender must transmit N — r ciphertexts. 
Since a large amount of bandwidth is necessary for large N, this method is not 
suitable for applications where the bandwidth for such data is restricted. 

There exists another naive method where the size of the broadcast message 
is minimized. We call it the Power Set Method. The method defines a power set 
of N receivers, i. e. {iS& 1 6 2 ...6 j ... bi y} where 6j G {0,1}- Each indicates whether 
or not a receiver i belongs to a subset 5 , bl 6 2 ...b j ...6 JV . It assigns a subset key for 
each subset and gives the subset key to receivers which belong to the subset. 
To send secret information to an arbitrary group of receivers, a sender chooses 
a subset where 6j = 1 only for selected receivers i, encrypts the information 
with a subset key corresponding to the subset, and broadcasts the ciphertext. 
This method requires the sender to broadcast only one ciphertext, while each 
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receiver needs to store 2 JV_1 keys. Hence this method is not suitable for receivers 
in many applications if N is large. However, we use this technique in conjunction 
with a key tree structure in order to reduce the number of ciphertexts which are 
broadcast in our methods. 

The notion of broadcast encryption was introduced by Berkovits |3] and 
Fiat et al. ^U| independently. The main criteria for this technology are the 
number of ciphertexts (the length of the message) to be broadcast, the num- 
ber of keys each receiver stores, and the computational overhead at a receiver. 
Berkovits constructed a broadcast encryption method using a secret sharing 
scheme This method requires each receiver to store one key, however the 
length of the broadcast message is O(N). Fiat et al. proposed an r-resilient 
method which is resistant to a collusion of up to r revoked receivers by combin- 
ing their 1-resilient methods hierarchically. This method requires message length 
of O (r 2 log 2 r log N ) and the storage of O ( r log r log N) at each receiver. 

Wallner et al. m and Wong et al. [ 25 ! independently proposed efficient 
methods using a logical key tree structure. Their methods define a logical tree 
and a node key for each node of the tree. Each receiver is assigned to a leaf of the 
tree and given a set of node keys defined for the nodes on the path from the leaf 
to the root of the tree. Therefore, each receiver stores log N + 1 keys, assuming 
that the system uses a binary tree. All of these keys except one are shared 
by other receivers. This method revokes one receiver at a time, and updates all 
keys stored by non-revoked receivers, which have also been owned by the revoked 
receiver. A sender needs to broadcast 2 log N ciphertexts and a receiver needs 
to perform at most log IV decryptions for this single revocation. If the system 
needs to revoke r receivers by repeating the single revocation, the sender has to 
send 2r log N ciphertexts. 

Since the key tree structure has good properties, modifications of the meth- 
ods of 1241251 have been proposed 151111161171 . Some of them reduce the messages 
for a single revocation to log N by combining the key tree structure with another 
technique. McGrew et al. fEj used a one-way function, Canetti et al. 0 used 
a pseudo random generator, and Kim et al. HU used Diffie-Hellman key ex- 
change scheme 0. The number of keys a receiver stores remains log N + 1, while 
their methods increase the computational overhead at a receiver, namely, each 
receiver needs to perform the computation of such a technique at most logN 
times. Similar to their original methods, they assume non-stateless receivers, i. e. 
receivers have a capability to change their keys. 

If receivers are not stateless, they can store keys (e. g. shared keys established 
among the sender and a group of receivers) given at time t\ and use them at 
time t2 (where t\ < t2) to obtain the current session key. This may contribute 
to reduce the size of the broadcast. On the other hand, stateless receivers can 
store only the keys given at the initial stage such as manufacturing time. Hence 
every broadcast message must contain enough information to enable non-revoked 
receivers to obtain the current session key using their initial receiver keys. 

Kumar et al. El proposed revocation methods using error correcting codes. 
In their methods only non-revoked receivers can correct the error in the broad- 
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cast message and retrieve the secret information. Their construction based on 
polynomials requires messages of O (r log N) broadcast and storage of O ( r log N) 
at a receiver, and their construction based on algebraic-geometric codes requires 
message of O (r 2 ) and 0(r log N) storage overhead. The latter construction is 
interesting because the length of the message is independent of the number of 
total receivers. 

Anzai et al. |2] and Naor et al. [TS] independently proposed other methods 
using a secret sharing scheme. The main advantage of their methods is the size 
of storage at receivers. Their methods require receivers to store an element in a 
certain group. On the other hand, the methods require O (w) messages broadcast 
and O (w) exponentiations performed at a receiver, where w is the upper bound 
of the number of revoked receivers in the system which is fixed in advance. 
In other words, if we set the system resistant to a collusion of any number of 
revoked receivers then O ( N ) messages and O (N) exponentiations are required, 
regardless of the number of receivers actually revoked. Matsuzaki et al. |I3 
modified their method to reduce the computational overhead at a receiver to 
two modular exponentiations. 

CPPM and CPRM jSj are methods for protection of copyrighted content 
stored on pre-recorded or recordable media (e. g. disks or semiconductor memo- 
ries) that work with stateless receivers. Those methods require a prefixed number 
of ciphertexts being broadcast on the media and a relatively small number of 
keys being stored at a receiver. However, their revocation capability is restricted. 
We present detailed explanation of their properties as well as a modification of 
them in section 0 

Naor et al. HU proposed two efficient methods suitable for stateless receivers 
using a binary key tree construction. The Complete Subset Method requires a 
sender to broadcast r log (N/r) ciphertexts and each receiver to store logiV + 1 
keys, whereas the Subset Difference Method using a pseudo random sequence 
generator requires 2r — 1 ciphertexts, \ log 2 IV + | log N + 1 keys and O (log N) 
computational overhead at a receiver. 

Luby et al. PH and Poovendran et al. j2D] analyzed the criteria of broadcast 
encryption schemes under information theoretic concepts. Since the methods we 
propose in this paper are constructed upon a computational assumption, their 
bounds are not applicable to them. 

Our methods use a key tree structure and are suitable for stateless receivers. 
They provide a good balance in the criteria for the revocation technology, and 
are more efficient with respect to the number of keys stored at each receiver 
compared to previously proposed methods with such a structure. Especially one 
of our methods requires receivers to store only one key. 

Another topic related to a revocation technology is a traitor tracing technol- 
ogy introduced by Chor et al. 0 . This is used to find a receiver who contributed 
for production of a non-legitimate receiver device or software by giving its secret 
information (e. g. receiver keys). Many schemes with traitor tracing capability, 
such as |4I7I17I18| . have been proposed. We briefly explain the applicability of 
our methods to a traitor tracing scheme in section PI 
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1.2 Our Results 

In this paper we propose two efficient revocation methods suitable for stateless 
receivers. The Master Key technique due to Chick et al. 0 (a similar technique 
is also described in urn) contributes to reduce the number of keys each receiver 
stores, and the Power Set Method used in conjunction with an a-ary logical 
key tree structure helps to reduce the number of ciphertexts to be broadcast, 
where the parameter a can be any positive integer satisfying a > 1. In turn, our 
methods require receivers to perform some computations. 

The properties of our methods are shown in Table 0 For comparison, this 
table also contains the properties of the Complete Subset Method (CSM) and the 
Subset Difference Method (SDM) proposed in d3> which are considered to be 
most efficient among the methods proposed previously. In Method 1 we construct 
a revocation method which requires receivers to store only one key (a master 
key). Therefore, this method achieves minimal storage overhead for receivers. 
Method 2 is a variant of Method 1 which reduces the computational cost incurred 
by receivers to derive a key used for decryption of broadcast ciphertext from their 
master key in exchange for an increase in the number of master keys they store. 

Table0 tells that although our methods require more computational overhead 
of receivers, they are more efficient than other methods with respect to the 
number of keys each receiver stores. Our methods are also more efficient than 
CSM with regard to the number of ciphertexts broadcast. Since the Master Key 
technique is based on the security of RSA cryptosystem j23, the size of each 
master key in our methods is the size of a secure RSA modulus. Note that as 
analyzed in HZJ a receiver in each method in Table 0 needs O (log log N) lookup 
operations (in order to find an appropriate ciphertext to decrypt) and a single 
decryption operation which are omitted from the table. 

We show that our methods are secure under the assumption related to the 
RSA cryptosystem. Then we discuss some techniques which are used in our 
methods to reduce the size of the broadcast and the size of the storage at a 
receiver. We also provide a modification of CPPM and CPRM using the Master 
Key technique which reduces the size of the storage at receivers. 


Table 1. The properties of methods in PH and our methods 



CSM dj 

SDM da 

Method 1 

Method 2 

Number of ciphertexts 

T log ( N/r ) 

2r- 1 


r(^n + 1 ) 

Number of keys @ receiver 

log N 

\ log 2 N 

i 

log N 

Comp, cost for key derivation 





Pseudo-random generator 

- 

O (log N) 

- 

- 

Generation of primes 

- 

- 

O 

- 

Num. of multiplications 

- 

- 

(2 a “ 1 — l)log N 

2 a-i _ : 

Num. of modular exp. 

- 

- 

1 

1 
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2 The Proposed Methods 

In this section we introduce two efficient revocation methods. These methods 
use the Power Set Method’ defined below as an elemental technique. 

Power Set Method’ with n Elements. Suppose there is a set of n elements 
i (i = 1, . . . ,n). Define 2 n — 2 subsets S , 6i6 2 ...&i...&n where b t G {0, 1}, i 7^ 0 
and Y^i = l n (which are elements of a power set except all bi ’s are 0 and 1). 
Assign a subset key for each subset. Give subset keys corresponding to subsets 
where b, = 1 to an element i. To send secret information to an arbitrary group of 
elements (except a group which consists of all elements), choose a subset where 
bi = 1 only for selected elements i, encrypt the information with a subset key 
corresponding to the subset and send the encrypted information. 

Assume N is a power of a positive integer a. Our methods adopt a logical a- 
ary tree called the Hierarchical Key Tree (HKT) and the Power Set Method’ with 
a elements for each internal node (including the H ootQ) in the HKT. Basically 
2 a —2 subsets are defined for each internal node. A subset key is chosen for each 
subset and 2“ _1 — 1 subset keys are given to each child node of the internal node. 
A receiver is assigned to a leaf of the HKT. Let pathj be a path from the leaf to 
which a receiver Uj is assigned to the Root. A receiver Uj is given master key(s) 
that can derive any subset key given to a node on pathj. Transmission of secret 
information including revocation of receivers is performed by broadcasting one 
or more ciphertexts encrypted under a subset key. This construction has a good 
property such that only one ciphertext needs to be sent for secure transmission 
to an arbitrary set of child nodes of a certain internal node in the HKT. 

We have two ways of applying the Master Key technique to a revocation 
scheme. In Method 1 we adopt the Master Key system for the whole HKT. A 
receiver uj is given a master key of (2° _1 — l) log a N+l subset keys correspond- 
ing to the subsets to which the receiver belongs, i. e. those subset keys are given 
to the nodes on pathj. Note that those subsets contain a subset to which all of 
N receivers belong, and the corresponding subset key is used if no receivers are 
revoked. In Method 2 we apply the Master Key system to each internal node in 
the HKT. In this method log a N master keys are given to a receiver Uj. Each 
master key can derive at most 2 a ~ 1 subset keys corresponding to subsets defined 
for a node on pathj, to which the receiver Uj belongs. 

2.1 Method 1 
Setup 

Step 1. Trusted Center (TC) which is a sender of secret information defines a 
rooted full a-ary HKT with N leaves. Each internal node in the HKT is named 
Vk (k = 1, . . . , j where the Root is v\ and other nodes are named with 

1 For clarity, we write the root of the HKT as ‘the Root’. 
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internal node v k subsets defined for Vk 

vi 5 i,ioo, $i,oio, £1,001, £1,110, £1,101, £1,011, £1,111 

V2, ■ ■ ■ , 5 fc,ioo, 5 fc,oio, £k,ooi, Sk, no, Sk, 101, Sk , oil 


Fig. 1. Subsets defined for internal nodes of the tree 


breadth first order. A receiver uj (j = 1, . . . , N) is assigned to each leaf of the 
HKT. TC defines 2“ — 2 subsets Sk,b 1 b 2 ...b i --ba where € {0,1}, 0 

and Yj'i-i / a for an internal node v k - TC also defines a subset for 

the Root. TC selects large primes qi and cj2 and publishes M (= 9192 ). 

Figure 1 shows an example of the HKT for a = 3 and N = 27, and subsets 
which are defined for internal nodes. The way to define the subsets is common 
to both of Method 1 and Method 2. 

Step 2. TC chooses (2° — 2) primes Pfc,6 1 6 2 ...6 1 ...6 0 where k = 1 ^ 5 ^, 

bi € {0, 1}, Yli = 1 h / 0 for all & and Yli= 1 h 7^ a for k / 1. Let B denote 
6162 ...bi...b a . Then TC assigns Pk,n to a subset and publishes this as- 
signment. Let T be a product of all primes assigned to the subsets. TC randomly 
chooses an element K e h* M and sets a subset key SK ktB corresponding to a 
subset S k> B as 

SK kb = K T / pk ’ B mod M 

TC (imaginarily) gives subset keys SK k ,B with b, - I to i th child node of 
the internal node v k - Therefore, 2 a_1 — 1 subset keys are given to each of the 
child nodes of an internal node. In addition, a subset key Sffiji .i is given to 
each of the child nodes of the Root. 

Step 3. TC gives a receiver Uj a master key MKj of (2 a_1 — l) log a A r +1 subset 
keys that are given to the nodes on pathj. Let Wj be a product of all primes 
assigned to the subsets to which the receiver uj belongs (i. e. the corresponding 
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subset keys are given to the nodes on pathj). The master key MKj is defined 
MKj = K T ! Wi mod-M 


In the example depicted in Fig. 1, the following master key MK\ of subset 
keys is given to a receiver u-\ . 

master key corresponding subset keys 

'S'-^ipoch S'Apuo, >5-^1,101) SKi t in 
MK\ SK 2 , ioo, SK 2 , no, SK 2A oi 

SK 5 , 100, SKo t iio, SK^'ioi 

Revocation. Transmission of secret information (e. g. a session key used for 
encryption or decryption of a content file) including revocation of some receivers 
is performed by broadcasting one or more ciphertexts. Each ciphertext is an 
encryption of the secret information under a subset key. To find subset keys to 
be used for this encryption, TC abandons all subset keys which are known to 
revoked receivers. It can be considered as removing all edges from the leaves 
corresponding to the revoked receivers to the Root in the HKT. This removal 
leaves one or more disjoint subtrees. Each subtree corresponds to a subset defined 
for its root node which is an internal node in the HKT, and each leaf of them is 
assigned to a non-revoked receiver. TC encrypts the secret information under the 
subset keys corresponding to those subsets, then broadcasts the ciphertexts. We 
examine the upper bound of the number of ciphertexts broadcast in section 14. 1 1 
and describe a technique used to encrypt the secret information in section 14 . 21 


Decryption. A non-revoked receiver belongs to a subset corresponding to a 
subtree which is left in the revocation phase, namely, the subtree contains the 
leaf assigned to the receiver. Note that for a non-revoked receiver Uj, there is 
exactly one ciphertext among the broadcast message which is an encryption 
under a subset key which can be derived from its master key MKj. Naor et 
al- HZ! introduced some techniques for listing and searching the correspondence 
of subsets and receivers, which can be used in conjunction with our methods. 

After finding an appropriate subset, a receiver Uj computes the corresponding 
subset key SK k B from its master key MKj and decrypts the ciphertext using 
the subset key in order to retrieve the secret information. The derivation of the 
subset key is performed as follows. 

MKj 3 ^ Pk ' B mod M = ^K T ^ Wj ^ modM = K T / pk ' B modM = SK k n 

Recall that p k ,n \ Wj and Wj is a product of (2° _1 — l) log a N + 1 primes. 
The computational overhead is roughly O ( 2 i°g a N ) f° r generation of primes as 
analyzed in section 1-1 -.41 and (2° _1 — l) log a N multiplications and one modular 
exponentiation. 
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2.2 Method 2 
Setup 

Step 1. The process in Step 1 is the same as in Method 1. 

Step 2. TC chooses 2“ — 1 primes P6 1 6 2 ...6 4 ...6 0 where 6* € {0, 1} and J2i=i 7^ 0. 
Let B denote 6162 . . . 6, . . . b a . TC assigns pn to a subset Sk.n defined for each 
internal node Vk (k = 1, . . . > |jpr) and publishes this assignment. Let T be a 
product of all primes pb ■ Then TC independently chooses * [ elements R'k € 
Z M and sets a subset key SK^.n corresponding to a subset Sk,B as 

SKk, B = K t J vb modM 

Similar to Method 1, TC (imaginarily) gives subset keys SK^ b with b, = 1 
to i th child node of Vk- 

Step 3. TC gives a receiver uj a set of log a N master keys MKj^, each of which 
is a master key of subset keys where the corresponding subsets are defined for 
a node Vk on pathj and those subset keys are given to its child node which is 
also located on pathj. A master key MKj ^ can derive 2 a_1 — 1 subset keys. In 
addition, a master key 1 can generate a subset key ■ The master 

key MKj t k is defined as 

MK jtk = K^ /Wi ’ k modM 

where Wj^ is a product of all primes assigned to the subsets satisfying (i) these 
subsets are defined for a node Vk and (ii) the corresponding subset keys are given 
to a child node of Vk where both Vk and the child node are located on pathj (in 
other words, the leaf assigned to the receiver Uj is also a leaf of a subtree rooted 
at the child node). 

In the example depicted in Fig. 1, the following three master keys are given 
to a receiver ui. 

master key corresponding subset keys 

M u 5^1,100, 5A-i.no, SK 1A01 , SK hlll 

MKi t 2 SK 2 , 100 , SK 2 , no, SK 2t ioi 

MK lt5 SK 5: 100, 5-K5.U0, 5-^5,101 

Revocation. The way of transmitting secret information including revocation 
is the same as in Method 1. 

Decryption. The process in this phase is basically the same as in Method 1. 
The only difference is the way of deriving a subset key. A receiver Uj derives a 
subset key SKk.B from its master key M Kj k as follows. 

MKj^ k/pB mod M = mod AT = K T J VB mod M = SK k , B 
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Since Wj tk is a product of at most 2° _1 primes, this computation requires at 
most 2 a_1 — 1 multiplications and one modular exponentiation^ The computa- 
tional overhead for generation of primes is negligible as analyzed in section 14. dl 

3 Security of the Proposed Methods 

To study the security of our methods, we investigate attacks for the Master 
Key technique used in these methods. The Master Key system is adopted for 
the whole HKT in Method 1 whereas it is applied to each internal node in the 
HKT in Method 2. Suppose that some attackers colluding with each other try 
to compromise the Master Key system in order to obtain subset keys defined in 
the targeted system. We consider two cases: 

Case I. None of the attackers knows any of subset keys defined in the targeted 
Master Key system. 

Case II. The attackers know at least one subset key defined in the targeted 
system. 

A situation that all attackers are outside of N receivers is regarded as Case 
I in both of our methods. It is another situation regarded as Case I in Method 2 
that at least one of the attackers is a receiver of this revocation scheme but no one 
of them is assigned to a leaf of a subtree rooted at the node where the targeted 
Master Key system is applied. Since K in Method 1 and K k in Method 2 are 
independent of other systems, subset keys are considered to be indistinguishable 
from random numbers of length \M\ for those attackers in Case I. Therefore we 
focus on Case II. 

In Case II, the attackers know at least one subset key of the targeted Master 
Key system. Such attackers may include revoked receivers in the targeted system 
who attempt to obtain subset keys they do not have by breaking the system. 
We show that our methods are secure against any collusion of revoked receivers 
under the following assumption related to RSA cryptosystem. 

Assumption. If factors qi,q 2 of a large composite M = q\q^ are unknown then 
computing p th roots (dnod M ) for integral p > 1 is difficult. 

We introduce a theorem and a corollary proven in the appendix to Q. 

Theorem. Let t and t\,...,t n he given integers and suppose there is a com- 
putable function F for which K l = F(K tx , K t2 ,...,K tn ) mod M for every 
K £ Z^ r , the group of units mod M. Let d = gcd{f ,}, e = gcd (f , d) and p = d/e. 
Then we can compute p th roots in 7 j* m . 


2 If we define a subset key SKi,n...i without using the Master Key technique, we 
have a revocation method with jf// + 1 keys and at most 2 a_2 multiplications at a 
receiver. 
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Suppose that such a function F exists for p > 1, then we can compute non- 
trivial p th roots in Z* M . This is contradictory to the assumption. Therefore the 
following corollary holds. 

Corollary. Under the assumption above, such junction exists only for p = 1, 
namely gcd{i*} | t. 

Now we consider the case that some revoked receivers in the targeted Mas- 
ter Key system collude with each other and try to compromise a subset key 
which is not included in any of the master keys owned by the colluding re- 
ceivers. Let G be a set of master keys, which are integer power of K mod M, 
{MKi = K f l mod M, M K 2 = K t2 mod M , . . . , MK k = K tk mod M}. Suppose 
(i) there exists a function F computing a subset key SK rn = K T /' Pm mod M = 
K tm mod M from the set G and (ii) SK rn is not included in the any master key 
of G. On one hand, from (i) and the corollary, 

gcdOi : MKi € G} | t m (1) 

must hold. By definition of a master key, f* is a product of primes corresponding 
to the subsets which are not included in the master key MKi. Since we can write 
U = ctiPm where gcd ( on,p m ) = 1 from (ii), we have gcd{t, : : M I<i eG) = ap m 
where gcd (a,p rn ) = X. On the other hand, since T is a product of all primes 
corresponding to all subsets, we can write T = [3p rn where gcd (fi,p m ) = 1 (L e. 
/3 = t m ). From CO), we have ap m \ f3. However, gcd (a,p m ) = gcd {0. p rn ) = 1. 
This is contradictory, so the assumption that SK m which is not included in any 
master key in G can be derived from G is wrong. This proves that our methods 
are secure against any conspiracy of revoked receivers under the assumption 
described above. 

4 Discussions on the Proposed Methods 

4.1 The Number of Ciphertexts 

Let #CT denote the number of ciphertexts broadcast in our methods. #CT is 
equal to the number of subsets corresponding to subtrees which are left in the 
revocation phase. In this section we examine its upper bound. 

Recall that a sender needs to broadcast one ciphertext encrypted under 
5’R’i -n i if no receivers are revoked. Now we increment the number of revoked 
receivers one by one. To maximize ffCT we should choose a new revoked re- 
ceiver such that it shares minimum paths with receivers that have been already 
revoked, because the shared paths do not contribute to increase the number of 
the subtrees. Using this strategy, we choose up to a — 1 revoked receivers as a leaf 
of subtrees which are rooted at distinct child nodes of the Root. Each picking 
of revoked receiver increases ffCT by log 0 N — 1. When we choose a th revoked 
receiver, #GT is increased by log a N— 2 by choosing a leaf of a subtree rooted at 
the remaining child node of the Root. Similarly, each addition of [a- 7-1 + l] to 


444 Tomoyuki Asano 


[a- 7 1 (a — 1)] th revoked receiver increases by log „ N—j, and each addition 
of [a J ' _1 (a — 1) + l] th to [a- 7 ] th revoked receiver increases it by log a N — j — 1. 
Therefore we have the upper bound of the number of ciphertexts as follows. For 
r < a clearly we have r (log a N — 1) + 1, and for r > a we have 

Llog.rj 

l + £(log a iV-riog a il)- £ {a* -a*~ l (a- 1)} 

i=i j = i 

= 1 + rloga N - ^ [log oil - ^ a J_1 

= r log a N — ( [log a rj + 1) r + a^ los ° 

< r log a N - r (log a r — 1 + 1) + a log ° r 
= r (log a (N/r) -f 1) 

= r (' log(JV/r) + i 

V lo s a 

Since r (log a AT — 1) + 1 <r (log a (N/r) + 1) when 1 < r < a, this upper bound 
holds for any r > 1. 

4.2 Encryption of Secret Information 

Each ciphertext broadcast in our methods is an encryption of secret information 
I (e. g. a session key) under a subset key. Any encryption algorithm which is 
considered to be secure can be used for this encryption. For example, we can use 
a secure block cipher algorithm with the block size |/|. 

However, the length of a subset key, \M\, is equal to the length of a secure 
modulus of RSA cryptosystem and generally \M\ > \BK\, where \BK\ is the 
key size of the block cipher algorithm. As introduced in fDJ , we can use a one- 
way function h : 1? M — > (0, \}\ nK \ that maps elements which are randomly 
distributed over Z* M to randomly distributed strings of the desired length [T5] . 
Namely, we can write the encryption of the secret information as E^sk) ( I ) 
where SK and Ebk (m) respectively denote a subset key and an encryption 
of message m under a block cipher algorithm using an encryption key BK. 
This gives that the size of each ciphertext is reduced to the size of the secret 
information which is transmitted, regardless of the size of a subset key. 

4.3 Representation of Primes 

In our methods a receiver needs to use some primes for derivation of a subset key. 
In this section we present techniques to store or find those primes and evaluate 
their storage and computational overhead. 

Method 1. The total number of primes assigned to the subsets is (2“ — 2) N=1 + 
1 in Method 1. Since the size of the n th prime is O (n log n) |T2J, we roughly 
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estimate that the size of each prime is at most O (2 a Nlog2 a N). In order to 
derive a subset key SK^^b in the decryption phase, a receiver needs to com- 
pute Wj/pk,B which is a product of (2° _1 - 1 ) log a N primes corresponding 
to the subsets to which the receiver belongs except Pk,B- If receivers strictly 
store the primes which are required for derivation of subset keys, they need the 
storage of O ^ 2 * log 1 ~ 1 ' log N + lj (log N + a + log (log N + a)) j bits. Note that 
since those primes are public, receivers do not need to store them in a confidential 
manner. 

On the other hand, this amount of storage overhead might be too large for 
some type of receivers. In order to reduce the size of such non-secret storage, we 
can define the assignment of the primes to the subsets as follows. A prime pk,B 
corresponding to a subset Sk,B is (B) 2 th smallest prime larger than (k — 1) L, 
where ( B) 2 denotes a binary number represented by a bit string B and L is a 
positive integer. Since at most 2“ — 1 subsets are defined for an internal node in 
the HKT, L should be large so that an interval ( (fc — 1) L, kL] contains at least 
2° — 1 primes. If a number p is chosen at random, the probability that it is prime 
is about 1/ hip [ 23 ] ■ Recall that the size of a prime used in the method is at most 
O (2 a N\og2 a N). Therefore, if we use L satisfying L > (2° - 1) In (2 a Nlog2 a N), 
it is expected that the interval ( (k — 1) L, kL] contains at least 2“ — 1 primes. 

Each receiver can compute Pk.n from k and B in an on-the-fly manner as 
follows. From [k — 1) L+l, a receiver tests each number using a primality testing 
algorithm until it finds (B) 2 th smallest prime. An example of a probabilistic 
primality testing algorithm is the Miller-Rabin algorithm. Since the complexity 
of the algorithm for testing a number p is O (log 3 p) 1231 . it is expected that the 
computational overhead for finding a prime is O (log 4 p) . A receiver Uj needs 
to find at most 2“ — 1 primes (including primes Uj does not use) for each of 
log a N internal nodes on pathj, therefore the total computational overhead for 
generation of primes is roughly 

/ 2° — 1 

O f log N (log IV + a + log (log N + a + log (log N + a))) 

Note that we assume receivers can not store the primes strictly in order to 
evaluate Method 1. 

Method 2. The total number of primes assigned to the subsets in Method 2 is 
2° — 1. Note that this is much smaller than in Method 1. Since the bit length 
of the largest prime is roughly O (a + log a), the size of the storage which is 
required to store those primes is O ((2° — 1) (a + log a)) bits. It may be possible 
for receivers to store those primes strictly if a parameter a is chosen reasonably, 
and we assume it for evaluation of Method 2. Note that since those primes are 
system- wide universal and public, receivers do not have to store them in a secure 
non-volatile memory such as a storage for master keys, but they can store them 
in a usual mask ROM which is used to store program codes. 

We also have some ways to reduce the size of the storage. For example, we 
can define the assignment of those primes such that a prime ps corresponding to 
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a subset Sk,B is (B), 2 th smallest odd prime. Receivers store A/2 bits table, with 
each bit telling them whether or not the corresponding odd number is prime, 
where A is large enough to consist of 2“ — 1 primes, such that A w 2 °a. This 
table is also system-wide universal and non-secret. This technique is introduced 
in nn, as well as another way to cut down the size of the storage by listing the 
size of gaps between primes. 

As another option, receivers can compute those primes in an on-the-fly man- 
ner. It is easy to find 2“ — 1 smallest primes for reasonably chosen a, and it 
requires no storage space. 

4.4 Other Properties 

In this section we briefly explain other properties that our methods have. 

The Number of Revoked Receivers. It is not necessary to fix r, the number 
of revoked receivers, in advance in our methods. A sender can select an arbitrary 
group of r (0 < r < N) receivers that are revoked at each time of transmission 
of secret information. Conversely, the sender can choose any select group of 
receivers as actual recipients of each transmission. The number of ciphertexts 
broadcast is roughly proportional to r. This is an advantage of the revocation 
methods using a key tree structure |5 111 11161171241251 including ours over the 
methods using a secret sharing scheme | I2I15118| . In the latter methods, w which 
is the upper bound of r must be fixed in advance and the length of broadcast 
message is O (w) regardless of the number of receivers actually revoked. 

Stateless Receivers. In our methods, no receivers need to change their mas- 
ter key(s) in order to revoke or re-entitle receivers. Therefore our methods are 
suitable for stateless receivers. Suppose a receiver uj has been revoked during 
a certain period and is re-entitled to obtain the secret information which will 
be transmitted afterward. Even if uj has recorded all messages broadcast during 
the period and colludes with other receivers which have been also revoked during 
the period, it can not obtain the secret information sent at that time unless the 
encryption scheme used to encrypt the secret information is compromised. 

Traitor Tracing. As described in section I I . 1 1 a traitor tracing technology is 
used to find a receiver who contributed for production of a non-legitimate re- 
ceiver device by giving its private keys. The requirement for tracing traitors 
proposed in P3 is to find the identities of those that contributed their keys to a 
non-legitimate receiver and revoke them with still allowing broadcasting to the 
legitimate receivers. Since our methods have the same property as their methods 
with respect to the tracing capability such as a bifurcation property, their effi- 
cient tracing algorithm is effective in conjunction with our methods. The upper 
bound of the bifurcation value 2 is 2/3 in our methods, therefore the algorithm 
can be performed with at most t log i/ z N iterations, where t denotes the number 
of traitors. 
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5 Modification of CPPM and CPRM 

CPPM and CPRM jS] are mechanisms for protection of copyrighted content 
recorded on pre-recorded or recordable media from unauthorized copying. Those 
mechanisms contain revocation of receivers (i. e. recorders or players). In this 
section we show a modification of them using the Master Key technique which 
reduces the number of keys a receiver stores^ 

5.1 Brief Description of CPPM and CPRM 

In CPPM and CPRM, Trusted Center (TC) which is a sender defines a table with 
X rows and Y columns and chooses a key K xy (x = 1, . . . , X, y = 1, . . . , Y) for 
each element ( x , y) in the table. A compliant receiver Uj is given a unique vector 
Vj = (vi . . . vy) where v y G {1, . . . , X} and a set of Y keys K Vlt i , . . . , K vy>y . 
On the other hand, each compliant pre-recorded or recordable medium is given 
a Media Key Block (MKB) on its pre-recorded area during its manufacturing 
process. The MKB is a collection of encryptions of a session key under a key K XiV , 
where the session key is a key used for encryption or decryption of the content 
file stored on the medium. Note that the MKB does not contain the encryptions 
under keys K x y which are given to the revoked receivers. In consequence, the 
revoked receivers will not be able to obtain the session key from the medium. 
A non-revoked receiver stores at least one key with high probability which can 
be used to decrypt a ciphertext in the MKB in order to obtain the session key. 
This construction gives a revocation method requiring a sender to broadcast at 
most XY ciphertexts on the medium and each receiver to store Y keys. 


5.2 The Modification 

Now we modify this method using the Master Key technique. Instead of choosing 
keys K x y independently with each other, TC chooses and publishes distinct XY 
primes p x , y for each element (x, y) in the table, and defines each key K x , y as 

K XtV = K T / px ’ v mod M 

where M is a public value and a product of two large secret primes, K is a secret 
value chosen randomly from Z* M , and T is a product of all primes p x , y - Then 
TC gives a receiver Uj a master key M K :j of Y keys, one key from each column. 
Each of the keys corresponds to an element ( v y ,y ) in the table, where v y is y th 
element of the vector Vj. The master key MKj is defined as 

MKj = K T ^ Wi mod M 

where Wj = n^=i Pv y ,y and v y is y th element of Vj. 

3 Note that discussions on the properties of CPPM and CPRM in this paper are based 
on section 4.5 of m- 
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Given a master key MKj, a receiver Uj can derive a key K v y from MKj as 
MKj l/Pvv ' v mod M = ( 'K T / w ty i/Pvv ’ V mod M = K Tlv *v* mod M = K VytV 

Discussions on the security of the proposed revocation methods in section El 
are also directly suitable for this modification. We can also use techniques de- 
scribed in section 14.21 and 14.81 in order to reduce the size of each ciphertext in 
the MKB and the size of the storage at a receiver, respectively. This modifica- 
tion reduces the number of keys each receiver stores to only one in exchange for 
additional computational overhead, i. e. Y — 1 multiplications and one modular 
exponentiation, assuming that receivers store Y primes strictly. Other properties 
such that the size of the MKB and the upper bound of the number of revoked 
receivers still remain the same as in the original methods. The size of the MKB, 
namely, the number of ciphertexts in the MKB is at most XY, and the size 
of each ciphertext is the size of the session key. Note that as analyzed in n, 
since the probability that a legitimate receiver is revoked increases non-negligibly 
when the number of revoked receivers becomes large, the revocation capability 
must be bounded by X. 


6 Summary 

In this paper we have proposed two efficient revocation methods which are suit- 
able for stateless receivers. Our methods use the Master Key technique and 
the Power Set Method’ with an a-ary key tree structure in order to reduce the 
number of keys each receiver stores and the number of ciphertexts broadcast, 
respectively. Method 1 requires receivers to store only one key. Method 2 is its 
variant which reduces the computational overhead of receivers in exchange for an 
increase in the number of master keys they store. We have discussed the security 
of our methods and some techniques used in those methods. We also have shown 
a modification of CPPM and CPRM using the Master Key technique where the 
number of keys each receiver stores is reduced to one. 
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Abstract. We propose a new mix network that is optimized to produce 
a correct output very fast when all mix servers execute the mixing proto- 
col correctly (the usual case) . Our mix network only produces an output 
if no server cheats. However, in the rare case when one or several mix 
servers cheat, we convert the inputs to a format that allows “back-up” 
mixing. This back-up mixing can be implemented using any one of a wide 
array of already proposed (but slower) mix networks. When all goes well, 
our mix net is the fast est, both in real terms and asymptotically, of all 
those that offer standard guarantees of privacy and correctness. In prac- 
tice, this benefit far outweighs the drawback of a comparatively complex 
procedure to recover from cheating. Our new mix is ideally suited to 
compute almost instantly the output of electronic elections, whence the 
name “exit-poll” mixing. 


1 Introduction 

The recently devised mix network constructions of Furukawa and Sako IFS01I 
and Neff INefOll provide the full spectrum of security properties desirable in an 
election scheme. They achieve privacy, which is to say concealment of individual 
votes, and also robustness against Byzantine server failures. They additionally 
possess the property of universal verifiability, that is, the ability for any entity 
to verify the correct functioning of the mix, even in the face of an adversary 
that controls all servers and voters. Finally, the Furukawa/Sako and Neff mixes 
are substantially more efficient in terms of both computational and communica- 
tions requirements than previously proposed mix networks with similar security 
properties. 

Fast as they are, however, these mixes still remain cumbersome as tools for 
large-scale elections. Sako et al. report a running time of roughly six hours to 
process a batch of 100,000 votes jFMM()S02| . In a federal election involving 
large precincts (conceivably millions of ballots in some states) a complete tally 
would thus require many hours. Premature media predictions of Gore’s victory 
in Florida in the 2000 U.S. presidential election demonstrate the hunger of the 
electorate for timely information, and also the mischief that can be wrought 
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in its absence. There is clearly a political and social need for faster tallying 
mechanisms than Furukawa/Sako and Neff alone can provide. 

We describe here a mix network that is tailored for election systems, but 
with a substantial speedup over Furukawa/Sako and Neff. In settings like that 
described by Sako et al., for example, we estimate that our construction is ca- 
pable of yielding a six-to-eight times speedup. We achieve this improvement by 
taking an “optimistic” or “fast-track” IGK-K98I approach. In particular, we iden- 
tify functionality in Furukawa/Sako and Neff that is not needed in the likely case 
that mix servers behave correctly and that most ballots are well formed. In the 
optimistic case, we show how to dispense with the costly property of robustness 
against Byzantine server failures. We also provide a form of universal verifiabil- 
ity that is somewhat weaker than the standard definition, but less costly, and 
adequate for nearly all types of elections, as we explain. 

We refer to our proposal as an exit-poll mix network, by analogy with the 
“exit polls” used to provide fast predictions of election outcomes. If servers 
behave correctly, our exit-poll mix yields a correct election tally very rapidly. 
We expect this to be by far the most common case. If server cheating occurs, our 
mix identifies misbehaving servers. The privacy of all votes remains protected 
(given a majority of honest servers), but our mix does not produce an output. In 
such cases, our exit-poll scheme permits seamless fallback to a more heavyweight 
mix (like Furukawa/Sako or Neff) which can take over, complete the mixing and 
produce an output. Such heavyweight mixes can also be employed to achieve 
supplemental, after-the-fact certification of an election tally achieved with our 
mix. 

Our exit-poll mix is a general ciphertext-to-plaintext scheme. While it is de- 
signed particularly for use in election schemes, we note that it can be employed 
in many of the other applications for which such mix networks are useful. Exam- 
ples include anonymous e-mail l(Jha8UI and bulletin boards, anonymous payment 
systems HIA198I as well as anonymized Web browsing IKlGMAlfTTl . 

The rest of the paper is organized as follows. We review related work in 
section 2. In section 3, we describe ElGamal re-encryption mix networks. We 
present the high-level design of our new mix network in section 4, and give 
a detailed description of the protocol in section 5. In section 6, we prove the 
properties of our mix net. We conclude in section 7. 

2 Related Work 

Chaum proposed the first mix network, a decryption mix, in |Cha8fl| . In Chaum’s 
construction, users encrypt their inputs with the public-key of each mix server, 
starting with the last and ending with the first mix server in the net. Each mix 
server removes one layer of encryption, until the plaintexts are output by the 
last server. The weakness of this approach is that the mixing can not proceed 
if a single server is unavailable. To achieve robustness against server failures, 
[IP I K 93] introduced a new type of mix, re-encryption mix nets, in which the 
mixing and decryption phases are separated (see section 3). The particular re- 
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Fig. 1 . Optimistic cost per server (for a total of k servers) of mixing n items with 
different mix schemes, measured in number of exponentiations. Note that our proof 
and verification costs do not depend on n. The table also indicates whether addition 
chains can be used to pre-compute exponentiations. “Partially” indicates that addition 
chains can be used only in the mixing phase but not to prove correctness. 


encryption mix of |P1K93| was shown insecure in but was later 

fixed by IOKST97I . 

The main difficulty of re-encryption mixes is to design computationally effi- 
cient ways for mix servers to prove that they mixed and re-encrypted their inputs 
correctly in the mixing phase. The first techniques were based on costly gen- 
eral purpose cut-and-choose zero-knowledge proofs [IS K UhK ) K S' I 97pA he98| . Mil- 
limix J.I.I99] and MIP-2 [A heUUfAHD Ij are based on more efficient zero-knowledge 
proofs specifically designed to prove that an output is a re-encryption of one of 
two inputs. 

The most efficient schemes to date that offer the full spectrum of security 
properties are those of Furukawa and Sako [FSfll] and Neff |Neffll) . The table 
in figure 1 compares the real cost of mixing n items (in terms of the number 
of exponentiations required) with different mixing schemes (the numbers are 
taken from the respective papers). The column indicating the cost of proof and 
verification is in bold, because that is typically by far the most expensive step, 
and it is the step that we are optimizing. The cost of re-encryption is higher in our 
scheme than in others, but the difference pales in comparison with our savings in 
the proof and verification step. Furthermore, the re-encryption exponentiations 
can be pre-computed. The table also indicates whether ea ch mixin g scheme can 
take advantage of the speed-up techniques proposed in jlakDiyl for multiple 
exponentiations with respect to a fixed base. These techniques, based on addition 
chains, reduce the equivalent cost of one exponentiation to approximately 10 
multiplications for reasonable sizes of batches (see HJakS0| for more details). 
This amounts to a very significant speed-up. Our scheme is not only the fastest, 
but also the only one that can fully take advantage of addition chains in this 
sense. 

1 Other aspects of that proposal were later found flawed, and corrected, in fMKOOIj . 
The exposed vulnerabilities do not affect the soundness of the speed-up techniques. 

2 We note that these proposals have computational costs quadratic in the number of 
servers, due to the use of interactive proofs. However, if non-interactive proofs are 
employed - as in subsequent papers - this is brought down to a linear cost. The 
computational cost we use in the table assumes that this enhancement is performed. 
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An attractive alternative to mix networks is homomorphic encryption, in 
particular the Paillier scheme |Pai!)i)| . Election schemes based on homomorphic 
encryption require a good deal of computation for verification of correct ballot 
formation, but very little for tallying. In practice, therefore, they can be much 
faster than mix-based election schemes. Until recently, an objection to homo- 
morphic schemes has been their inability to accommodate write-in votes, an 
unavoidable requirement in the election systems of many jurisdictions. Kiayias 
and Yung have recently devised a simple scheme that circumvents this difficulty 
[IK Y O/!] . In brief, the idea is to permit each ballot to contain either a standard 
vote or a write-in vote, and to set aside write-in votes for separate processing 
via a mix network (in the unlikely case that this is needed). 

It is our belief that mix networks will nonetheless remain an essential tool 
in electronic voting, as they still provide features that homomorphic schemes 
cannot. Vote-buying and coercion are serious threats in any election, but poten- 
tially much more problematic in Internet-based elections, given the anonymizing 
mechanisms available on the Internet and its reach across many jurisdictions. 
Schemes based on mix networks offer ways of minimizing these threats |H Sflflj . 
while homomorphic schemes do not. A second advantage of mix networks is 
their flexibility with regard to key distribution. To distribute shares in the Pail- 
lier system without use of a trusted third party requires expensive joint RSA 
key-generation protocols (e.g., |BF97| ). and distribution of a fresh RSA modulus 
for every election involving a different distribution of trust. Mix-based schemes 
can be based on discrete-log cryptosystems, with simpler and more generalizable 
keying mechanisms. With this in mind, we propose a new mix network which 
offers a significant efficiency improvement over existing constructions. 

3 ElGamal Re-encryption Mix Network 

In this section, we describe the basic operation of a plain-vanilla re-encryption 
mix network based on the ElGamal cryptosystem. It will serve as a basis for our 
main construction described in section 4 and 5. The operation of a mix network 
can be divided into the following steps: 

1. Setup Phase. In the setup phase, the mix servers jointly generate the public 
and private parameters of an ElGamal cryptosystem. The private key is 
shared in a (t, n)-threshold verifiable secret sharing scheme among all mix 
servers, while the public parameters are published. 

2. Submission of Inputs. All users submit their inputs to the mix encrypted 
with the public parameters generated in the setup phase. 

3. Mixing Phase. Each mix server in turn mixes and re-randomizes the batch 
of ciphertexts submitted to the mix. 

4. Decryption Phase. After the mixing is done, all output ciphertexts are 
decrypted by a quorum of mix servers. 

We start with a description of the ElGamal cryptosystem, and discuss in 
particular how to re-randomize ciphertexts in the mixing phase. We then explain 
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how to jointly generate the parameters for an ElGamal cryptosystem in the setup 
phase, and how the quorum decryption works in the decryption phase. 

3.1 ElGamal Cryptosystem 

ElGamal is a randomized public-key encryption scheme. Let P and Q be two 
large primes such that P = 2Q + 1. We denote by Gq the subgroup of Z* p of 
order Q. Let g be a generator of Gq. The private key is an element a : e Zq, 
and the corresponding public key is y = g x mod P. To encrypt a plaintext 
m e Gq, we choose a random element r G Z q and compute the ciphertext 
Ey{m,r) = ( g r ,my r ). Note that an ElGamal ciphertext is a pair of elements 
of Gq. To get the decryption D X (G,M) of an ElGamal ciphertext ( G,M ), we 
compute D X (G, M) = M/G x . The ElGamal cryptosystem is semantically secure 
| [Bonb8 | if the decisional Diffie-Hellman assumption holds in the group Gq. 

Re- randomization 

ElGamal is a randomized encryption scheme that allows for re-randomization of 
ciphertexts. Given an ElGamal ciphertext ( G,M ), a mix server can efficiently 
compute a new ciphertext ( G M') that decrypts to the same plaintext as (G, M) 
(we say that the ciphertext ( G',M ') is a re-randomization of ( G,M )). To re- 
randomize a ciphertext, the mix server chooses a value r £ Zq uniformly at 
random and computes (G', M') = (Gg r . My r ). Observe that this does not require 
knowledge of the private key, and that the exponentiation can be pre-processed. 

Given two ElGamal ciphertexts, it is infeasible to determine whether one 
is a re-randomization of the other without knowledge of either the private de- 
cryption key x or the re-randomization factor r, assuming that the Decision 
Diffie-Hellman problem is hard in Gq. A mix server can use this property to 
hide the correspondence between its input and output ciphertexts: the input 
ciphertexts are first re-randomized, then output in a random order. 

However, a mix server who knows the re-randomization factor r can effi- 
ciently convince a verifier that ( G',M ') is a re-randomization of ( G,M ) with- 
out revealing r. The proof of re-randomization consists simply of proving that 
log r; (G'/G) = log y (M'/M) (mod P), which trivially implies that there exists r 
such that (G', M') = ( Gg r , My r ). To prove the former discrete logarithm equal- 
ity, we may use for example Schnorr signatures |Schbl| (as suggested in f.1 ak98| 1 
or a non-interactive version |ES8fi| of the Chaum-Pedersen protocol EESZI-This 
proof of re-randomization will serve as the basis for a proof that allows a mix 
server to prove that it mixed its inputs correctly (observe that in the real proof 
of correctness, a mix server must not reveal which output is a re-randomization 
of which input, so the proof outlined above will not work as is.) 

3.2 Distributed ElGamal 

In the setup phase, the mix servers jointly generate the parameters (P, Q, g, x, y) 
of an ElGamal cryptosystem, in such a way that the private key x is dis- 
tributed in a (n, f)-threshold verifiable secret sharing (VSS) scheme among all 
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mix servers |Eel87 |. To set up this VSS, a simple solution is to have a trusted 
“dealer” generate all the parameters and then distribute shares of the private 
key to the mix servers. (An alternative solution that does not require a trusted 
third party was proposed in |Pedbl| . but it was later found flawed by IG.IK+MI . 
Note that the proved-correct protocol suggested in IG.IK+M is for a different 
VSS scheme.) 

With the private key thus shared, it is known that any quorum of t mix 
servers can jointly decrypt the output ElGamal ciphertexts without explicitly 
reconstructing the private key x. A quorum T of t servers can decrypt a cipher- 
text (G, M) as follows: 


D X (G,M ) 


M_ 


M 

r 


Observe that this equation requires each server j 6 T to raise G to the Xj-th 
power. Server j may prove that it has honestly computed S = G Xj with the 
following proof of discrete logarithm equality: log G S = log f; y 3 (= Xj) (mod P). 


4 Mix Net Design 

Our new mix net mixes ciphertexts like an ElGamal re-encryption mix. The 
novelty lies first in a highly efficient method for proving that the mixing was 
done correctly, and second in a method for falling back on a more heavyweight 
mix if cheating by a server is detected. We start with a high-level description of 
these two building blocks. 

Each input ciphertext submitted to our mix net is required to be the en- 
cryption of a plaintext that includes a cryptographic checksum. To verify that a 
mix server operated correctly, we ask for a proof that the product of the plain- 
texts corresponding to the input ciphertexts equals the product of the plaintexts 
corresponding to the output ciphertexts. As we shall show, such proofs can be 
produced and verified highly efficiently without knowledge of the plaintexts. We 
call this proof a proof- of -product (POP) with checksum. 

This proof however does not detect all types of cheating. Rather, it guar- 
antees that if the mix server did not mix correctly, it had to introduce in the 
output at least one new ciphertext that corresponds to a plaintext with an in- 
valid checksum. When outputs are decrypted, invalid checksums are traced to 
one of two sources: either an input that was originally submitted to the mix 
network with an invalid checksum, or a cheating mix server. The difficulty of 
this approach lies in the fact that since invalid checksums can only be traced at 
decryption time, cheating may not be detected until after the harm is done. In 
effect, a cheating server may be able to match inputs to outputs before cheating 
gets detected in the verification step. If we were to use this mix just like that, 
nothing could be done after a server has cheated to restore the privacy of those 
users whose inputs have already been traced. In particular, a second round of 
mixing wouldn’t help. 
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To address this difficulty, we introduce the second main contribution of this 
paper, which may be of interest on its own. Our approach is to encrypt users’ 
inputs twice (a technique we call double enveloping). In the verification step 
outlined above, the output ciphertexts are first decrypted only once. If the ver- 
ification succeeds and no servers are found to have cheated, the output cipher- 
texts are decrypted one more time and yield the plaintext. If on the other hand 
one or several servers are found to have cheated, the output ciphertexts are not 
decrypted further. Instead, they become the input to a different (slower) mix 
network such as fNeflH \ and are mixed a second time before being finally de- 
crypted. This second round of mixing ensures that the privacy of users can not 
be compromised. A cheating server in the first round of mixing may learn at most 
the relationship between a double-encrypted ciphertext and a single-encrypted 
ciphertext, which does not help to find the corresponding plaintext after the 
second round of mixing. 

In the rest of this section, we describe these two building blocks in greater 
detail. 

4.1 Proof of Product with Checksum 

Consider a mix server who receives as inputs n ElGamal ciphertexts ( Gi,Mi ), 
and outputs a permuted re-randomization of these, namely a permutation of 
the list of (G'ijM-) = (Gig ri , Miy ri ) . Our key idea is to let the mix server 
prove that its operations are product preserving, i.e. that the product of the 
plaintexts corresponding to the input ciphertexts ( Gi , Mf) equals the product of 
the plaintexts corresponding to the output ciphertexts (G(,M}). The following 
property of the ElGamal encryption scheme makes this possible: 

Proposition 1. (Multiplicative Homomorphism of ElGamal): Let (G\,Mf) and 
(f?2, M2) be ElGamal encryptions of plaintexts Pi and P2. Then (GiG^iMiMf) 
is an ElGamal encryption of the product PiP2- We call (G1G2, M\M 2 ) the “prod- 
uct” of(Gi,M\) and (G2,M 2 ). 

Proposition Q shows that any verifier can compute an ElGamal encryp- 
tion ( G,M ) of Elm,, and an ElGamal encryption ( G',M ') of {{ to-, where 
rrii (resp. to') is the plaintext corresponding to (G, ; , Mf) (resp., (G', Ad')). To 
prove that its operations are product preserving, the mix server need only prove 
that log 9 (G'/G) = log y (M' /M). As we saw in section IT 1 1 this implies that 

n mt = rim'. 

The Need for a Checksum 

The product equality n m i = El m i clearly does not imply that the sets 
and {m(} " =1 are equal. In other words, the property of being product-preserving 
does not by itself guarantee that a mix net operates correctly. Our approach is 
to restrict the plaintexts m* (and therefore also m') to a particular format, in 
such a way that it becomes infeasible for a dishonest mix server to find a set 
{to'} 7^ {to,;} such that n m i = El m i an d the elements to' are of the required 
format. We propose to define this special format by adding a cryptographic 
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checksum to the plaintext, drawing on the techniques of Ena. This is done as 
follows. 

Users format their inputs to the mix net as an ElGamal encryption of a 
plaintext m and an ElGamal encryption of h(rn), where h : {0,1}* — > Gq is a 
cryptographic hash function (in the proof of security, we model h has a random 
oracle 11111901 1: 



Each input to the mix now consists of a pair of ElGamal ciphertexts. The 
mix re-randomizes separately each of the two ElGamal ciphertexts in every pair, 
then outputs all the pairs in a random order. The mix must then prove that the 
products of the plaintexts corresponding to the first element in the pair are the 
same in the input and the output (fl m i = E[ rn i) an< l also that the products of 
the plaintexts corresponding to the second element in the pair are the same in 
the input and the output (}} h(rrii) = }} As we shall prove in section 0 

these two proofs together guarantee the set equality {m,} = {to'}. 

4.2 Double Enveloping 

As we have already pointed out, a mix whose correctness was enforced only by 
a proof-of-product with redundancy may not detect server cheating until after 
the harm is done. To illustrate how users’ privacy may be compromised even 
if all cheating servers are disqualified, we offer the following example. Assume 
that the first mix server is corrupt and that the input submitted by user i is 
(Ey(nii, 7',), Ey(h(rrii), r')). The corrupt first server can replace the input of user 

1 by (Ey(mi,ri)Ey(m 2 ,r 2 ),E y (h(nii),r' 1 )Ey(h(m 2 ),r' 2 )) (recall the definition of 
the product of ElGamal ciphertexts in Section and replace the input of user 

2 by (1, 1, 1, 1). Such cheating will only be detected after the decryption phase. 
Even if the cheating server were to be disqualified and the mixing protocol 
restarted, the cheating server would still be able to distinguish the plaintexts 
submitted by users 1 and 2 from other users’ plaintexts, by comparing the output 
of the restarted protocol with that of the first execution. 

To defend against this attack, we add a second layer of encryption to the 
plaintext m of a user. A user whose plaintext input is m is required to submit 
the following triple of ciphertexts to the mix: 


(Ey(G, r),E y (M, r'),Ey(h(G, 


where ( G,M ) = ( g r ,my r ), and as before h : {0,1}* —> Gq is a cryptographic 
hash function. 

Thus ( G , M) replaces m in the description of POP-with-checksum above. 
(Other double enveloping designs resulting in the same functional structure are 
possible. We choose this one for concreteness.) If cheating is caused by a corrupt 
server, we can re-randomize all the inner-layer encryptions and their order with 
a standard ElGamal-based re-randomization mix net, before they are finally 
decrypted to plaintexts. Although the adversary might be able to link some 
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inner-layer encryptions to the input ciphertexts, he cannot link the final output 
plaintexts to them. 

5 Exit-Poll Mix Net 

Assumptions. We assume that there exists a bulletin board, which is accessi- 
ble to the public, and is authenticated, tamper-proof, and resistant to denial-of- 
service attacks. All messages and proofs are posted on this bulletin board. 

Setup. The mix servers jointly generate parameters ( P,Q,g,x,y ) for an ElGa- 
mal cryptosystem E. The public parameters are made public, while the private 
key x is shared among the mix servers in a (f , n)-threshold VSS scheme. Users 
are required to submit their input mi to the mix net formatted as follows: 

1. The user encrypts the input m, to produce E y (mi) = (Gj, M, : ). 

2. The user computes Hi = h(E y (rrii)). As explained earlier, we model h as a 
random oracle in the proof of security. In practice, a publicly available hash 
function such as MD5 |Riv92) or SHA-1 |N95j should be used. 

3. The user submits the triple E y (Gi),E y (Mi),E y (Hi). The mix servers check 
that every component belongs to Gq, and that this input has not already 
been submitted. If any component is not in Gq, the user is disqualified and 
the triple is discarded. If the same input has already been submitted by 
another user, the duplicate submission is discarded. 

4. The user proves his knowledge of G t , M,, Hj. This is important to prevent 
a user from re-encrypting and re-posting another user’s input. This proof 
of knowledge should be bound to a unique mix-session identifier to achieve 
security across multiple invocations of the mix. Any user who fails to give 
the proof is disqualified, and the corresponding input is discarded. 

5. We note that dishonest users may submit inputs that are not properly for- 
matted, in the sense that the equality Hi = h(E y (mi)) does not hold. We 
stress that such improperly formatted inputs can not force our mix net to 
default to the slower back-up mixing. The only event that can trigger a 
default to the back-up mixing is cheating by one of the mix servers. 

First Stage: Re-randomization and Mixing. This step proceeds as in all 
re-randomization mix nets based on ElGamal. One by one, the mix servers re- 
randomize all the inputs and their order. (Note that the components of triples 
are not separated from each other during the re-randomization.) In addition, 
each mix net must give a proof that the product of the plaintexts of all its 
inputs equals the product of the plaintexts of all its outputs. 


3 We note that for reasons of efficiency, it suffices that he proves knowledge of one of 
these components, and make the proof relative to the other two. This can be done 
(as is standard) by letting the latter two be part of the input to the random oracle 
that sets the challenge for the proof. 
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1 . Each mix server reads from the bulletin board the list of triples corresponding 
to re-encryptions of E y (Gi), E y (Mi), E y (Hi) output by the previous mix 
server: {(g ri , o* ■ y ri ), ( g Si , bi ■ y Si ), (g tl , Ci ■ y* 4 )}^. (Note that even if some 
servers have cheated, the ciphertexts can still be formatted like that, provided 
that every component belongs to Gq.) 

2. The mix server re-randomizes the order of these triples according to a secret 
and random permutation. Note that it is the order of triples that is re- 
randomized, and that the three components E y (G,), E y (Mi) and E y (Hi ) 
that make up each triple remain in order. 

3. The mix server then re-randomizes each component of each triple indepen- 
dently, and outputs the results: {(g r \a' i ■ y Ti ), (g Si , • y 8 *), (<?b, c ' . y**)}^. 

4. The mix server proves that rK = n a\ and fl = El K and fl °i = El c 'v 

Second Stage: Decryption of the Inputs 

1. A quorum of mix servers jointly decrypt each triple of ciphertexts to produce 
the values G,, Mi and Hi, using the technique we reviewed in Section IT 21 

2. All triples for which Hi = h(Gi, Mi) are called valid. 

3. Invalid triples are investigated according to the procedure described below. 
If the investigation proves that all invalid triples are benign (only users 
cheated), we proceed to step 4. Otherwise, the decryption is aborted and 
we continue with the back-up mixing. 

4. A quorum of mix servers jointly decrypts the ciphertexts (G,, Mi) for all valid 
triples. This successfully concludes the mixing. The final output is defined 
as the set of plaintexts corresponding to valid triples. 

Special Step: Investigation of Invalid Triples. The investigation proceeds 
as follows. The mix servers must reveal the path of each invalid triple through 
the various permutations. For each invalid triple, starting from the last server, 
each server reveals which of its inputs corresponds to this triple, and how it 
re-randomized this triple. The cost of checking the path of an invalid triple is 
three exponentiations per mix server (the same cost as that incurred to run one 
input through the mix net). One of two things may happen: 

— Benign Case (Only Users Cheated): if the mix servers successfully pro- 
duce all such paths, the invalid triples are known to have been submitted 
by users. The decryption is resumed after the incorrect elements have been 
removed. 

— Serious Case (One or More Servers Cheated): if one or more mix 
servers fail to recreate the paths of invalid triples, these mix servers are 
accused of cheating and replaced, and our mix terminates without producing 
an output. In this case, the inputs are handed over to the back-up mixing 
procedure described next. 

Note that when the mix servers investigate an invalid triple we assume im- 
plicitly that the successive permutations applied by mix servers define a unique 
path for each triple through the mix net. This is not strictly true if two or more 
triples encode the same inner-layer ciphertext. Indeed if two triples correspond to 
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different outer-layer encryptions of the same inner-layer ciphertext, the (outer- 
layer) re-encryption of one can be passed off as a re-encryption of the other. 
In this case, the permutations do not strictly commit mix servers to a unique 
path for each triple. Observe however that this does not affect the investigation 
of invalid triples. A corrupt server may substitute one copy (i.e. outer-layer en- 
coding) of an invalid triple for another, but must eventually account for all copies. 

Back-Up Mixing. The outer-layer encryption of the inputs posted to the mix 
net is decrypted by a quorum of mix servers. The resulting set of inner-layer 
ciphertexts becomes the input to a standard re-encryption mix net based on 
ElGamal (using, for example, Neff’s scheme described in fNefOlj ). At the end 
of this second mixing, the ciphertexts are finally decrypted to plaintexts, which 
concludes the mixing. 

6 Security Analysis 

We start with a brief discussion of the efficiency of our scheme. The costs are as 
follows for a batch consisting of n inputs: 

— Re-encryption and Mixing: Linear number of modular exponentiations (6n). 

— Proof of Correct Mixing: Constant number of modular exponentiations (but 
number of modular multiplications linear in n). 

— Verification: Constant number of modular exponentiations per server (but 
number of modular multiplications linear in n). The cost is also linear in the 
number of servers. 

— Decryption: Linear number of modular exponentiations ((5 + 10fc)n for k 
servers) . 

This makes our mix not only twice as fast as the next fastest mix network 
[I1NI et( ) 1 1 , but also the only mix (among mixes with standard security guarantees) 
for which the costs are incurred mostly in the re-encryption and decryption 
phases. This is important because these two phases (unlike the proof phase) 
can benefit from the significant speed-up techniques developed in j.Takffflj , Us- 
ing addition chains, we estimate that the cost of one exponentiation is roughly 
equivalent to 10 multiplications, with reasonably sized batches. 

We now turn to proving that our mix network offers guarantees of correctness, 
verifiability and privacy. 

Proposition 2. (Correctness) If all parties follow the protocol, the output of 
the mix net is a permuted decryption of the input. 

Since the set of plaintexts is preserved in re-randomizations, this follows from 
the correctness of decryption. 

The verifiability of our mix net is a restricted form of universal verifiability 
in the sense that only the operation of the mix net on valid inputs (i.e., the 
inputs that are well-formed according to our protocol) are universally verifiable. 
We call this restricted form of verifiability “public verifiability” . 
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Definition 1. (Public Verifiability) A mix net is publicly verifiable if there ex- 
ists a polynomially bounded verifier that takes as input the transcript of the 
mixing posted on the bulletin board, outputs “valid” if the set of valid outputs is 
a permuted decryption of all valid inputs, and otherwise outputs “invalid” with 
overwhelming probability. Note that to prove public verifiability, we consider an 
adversary that can control all mix servers and all users. 

Proposition 3. Our mix net is publicly verifiable if there exists a group G in 
which the discrete logarithm problem is hard. 

Proof. The proof proceeds by contradiction. We assume that one or several mix 
servers cheat during the execution of a mixing protocol, yet manage to produce 
a transcript that fools an outside verifier into believing that the mixing was done 
correctly. We show how to use these cheating mix servers to compute discrete 
logarithms in the group G. Our proof is based on the following lemma: 

Lemma 1. Let a and b be two elements of a group G of order |G|. For ran- 
dom values ri, . . . , rjv and si, . . . , sjy, we compute the following group elements: 
hi = a ri b Si . Consider an adversary who on inputs hi,...,hpr outputs integers 
e i> • • • ! e N su °h that n;li h f fi = 1 and at least one of the ’s is non-zero. With 
probability 1 — 1/|G|, the knowledge of these ei’s allows us to compute log a b. 

Proof. If YliLi s i e i 7 ^ 0) ^en we can compute log a b=— (X^Li r » e ») / (S^Li s i e i)- 
It remains to prove that s i e i ^ 0 happens with probability 1 — 1/|G|. Since 
the values rfi s are random, the knowledge of the hfis yields no information to 
the adversary about the sfs. Indeed we have log hi = r, + log a bsi. Since the 
distribution of r,; is uniformly random, the distribution of Sj is also uniformly 
random given h*. The probability that the vector E = (e i, ... , ejv) chosen by the 
adversary is orthogonal to an unknown random S = (si, . . . , sjy) is 1 — 1/|G|. □ 

Now let us turn to the proof of proposition 3. We denote the inputs to the 
mix network as 

(Ey(G lt ri),E y (M 1 y i ),E y (H 1 /f)),...,(E y (G N ,r N ),E y (M N / N ),E y (H N ,r“ N )), 
and denote the outputs of the mix network as 

(Ey (Gi, rf ) ,Ey (Ml, < ) ,Ey (#!,<) ) , • ■ , (E v (Gn ,¥n) ,Ey (M^) ,Ey ) . 

For cheating to escape detection, the equation 

II II’' w 


must hold, and in addition we must have Hi = h(Gi,Mi) for all i. Furthermore, 
since we restrict the notion of universal verifiability to valid inputs, we have 
Hi = h(Gi, for all i. Equation [I] can therefore be rewritten: 

Y[h(Gi,Mi) =Y[h(Gi,Mi). 


(2) 
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Now recall that in our security proof, we model the hash function h as a random 
oracle. Each time a mix server queries h on a new input, we choose random 
values Ti and Si and return a ri b Si (we answer queries on inputs that have already 
been queried consistently). Since the mix server cheated, equation |2| gives us a 
non-trivial product relationship of the type that allows us to compute discrete 
logarithms in the group G according to lemma and this concludes the proof. 

□ 

Our mix network offers the same guarantee of privacy as all mix networks 
based on ElGamal re-encryptions, e.g. jlNetOl . 

7 Conclusions 

We constructed a verifiable mix network that is extremely fast in case none of the 
mix servers cheat. This enables election officials to quickly announce the results 
in the common case when all mix servers honestly follow the mixing protocol. 
In case one or more of the mix servers cheat, our system detects the cheating 
server or servers and then redoes the mixing using one of the standard (slower) 
mix systems |Neff)1) . We emphasize that server cheating cannot compromise user 
privacy; it just causes the mixing process to run slower. 

Our fast verifiable mixing is achieved by using the homomorphic property 
of ElGamal encryption to quickly test that the product of all plaintext inputs 
is equal to the product of all plaintext outputs. Clearly, this simple product 
test is insufficient for proving correct mixing. However, we are able to prove 
that by adding an appropriate checksum to all inputs this product test becomes 
sufficient. Furthermore, we use double enveloping to ensure user privacy in case 
one or more mix servers cheat. We hope that our approach can be used to speed- 
up other secure distributed computations in case all participants honestly follow 
the protocol, without affecting security in case of cheating. 
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Abstract. We provide two new construction methods for nonlinear re- 
silient functions. The first method is a simple modification of an elegant 
construction due to Zhang and Zheng and constructs n-input, m-output 
resilient S-boxes with degree d, > m. We prove by an application of 
the Griesmer bound for linear error correcting codes that the modified 
Zhang-Zheng construction is superior to the previous method of Cheon 
in Crypto 2001. Our second construction uses a sharpened version of 
the Maiorana-McFarland technique to construct nonlinear resilient func- 
tions. The nonlinearity obtained by our second construction is better 
than previously known construction methods. 

Keywords: S-box, Griesmer bound, Resiliency, nonlinearity, algebraic 
degree, stream cipher. 


1 Introduction 

An (n,m) S-box (or vectorial function) is a map / : {0,1}” — > {0, l} m . By an 
(n, m, t) S-box (or (n, m, f)-resilient function) we mean f-resilient (n, m) S-box. 
An (n, 1, t)-resilient S-box is a resilient Boolean function. The cryptographic 
properties (like resiliency, nonlinearity, algebraic degree) of Boolean functions 
necessary for stream cipher applications have already been extensively studied. 
The resiliency property of S-box was introduced by Chor et al [5] and Ben- 
nett et al [1]. However, to be used in stream ciphers several other properties 
of S-box like nonlinearity and algebraic degree are also very important. Stinson 
and Massey [18] considered nonlinear resilient functions but only to disprove a 
conjecture. 

It was Zhang and Zheng [20] who first proposed a beautiful method of trans- 
forming a linear resilient S-box to construct a nonlinear resilient S-box with 
high nonlinearity and high algebraic degree keeping cryptography in mind. Af- 
ter that, serious efforts to construct nonlinear S-box with high nonlinearity and 
high algebraic degree has been made [8,7, 12, 4] (see Section 2.4). 

The current state-of-art in resilient S-box design can be classified into the 
following two approaches. 

1. Construction of (n, m, f)-resilient functions with very high nonlinearity. 

Y. Zheng (Ed.): ASIACRYPT 2002, LNCS 2501, pp. 466-483, 2002. 

© Springer- Verlag Berlin Heidelberg 2002 



Improved Construction of Nonlinear Resilient S-Boxes 


467 


2. Construction of (n, to, t)-resilient functions with degree d > m and high 

nonlinearity. 

The first problem has been studied in [20,8,7,12]. The currently best known 
results are obtained using the construction described in [12], though in certain 
cases, for small number of variables, the search technique of [7] yields better 
results. The second problem has been less studied. To the best of our knowledge, 
the only known construction which provides functions of the second type is due 
to Cheon [4]. 

In this paper, we first prove that the correlation immunity of a resilient 
function is preserved under composition with an arbitrary Boolean function. This 
property is useful for possible application of resilient S-boxes in designing secure 
stream ciphers. Our main contribution consists of two different constructions for 
the above two classes of problems. In both cases our results provide significant 
improvement over all previous methods. 

The construction for the second problem is a simple modification of the 
Zhang-Zheng method [20]. To get algebraic degree d> m, we start with an [n, d+ 
1 ,t + 1] code. Then we apply Zhang-Zheng construction to obtain a nonlinear 
S-box. Finally we drop d+l — m output columns to obtain an (n, to, t)-resilient 
S-box (see Section 4). This simple modification is powerful enough to improve 
upon the best known construction with algebraic degree greater than to [4]. 
This clearly indicates the power of the original Zhang-Zheng construction. Our 
contribution is to apply the Griesmer bound for linear error correcting codes to 
prove that the modified Zhang-Zheng construction is superior to the best known 
construction [4]. We know of no other work where such a provable comparison 
of construction has been presented. 

The Maiorana-McFarland technique is a well known method to construct non- 
linear resilient functions. The idea is to use affine functions on small number of 
variables to construct nonlinear resilient functions on larger number of variables. 
We provide a construction to generate functions of the first type using a sharp- 
ened version of the Maiorana-McFarland method. For Boolean functions, the 
Maiorana-McFarland technique to construct resilient functions was introduced 
by Camion et al [2]. Nonlinearity calculation for the construction was first per- 
formed by Seberry, Zhang and Zheng [16]. This technique was later sharpened 
by Chee et al [3] and Sarkar-Maitra [15]. For S-boxes this technique has been 
used by [7] and [12], though [7] uses essentially a heuristic search technique. 
Here we develop and sharpen the technique of affine function concatenation to 
construct nonlinear resilient S-boxes. This leads to significant improvement in 
nonlinearity over that obtained in [12]. Thus we obtain better results than [12] 
which currently provides the best known nonlinearity results for most choices of 
input parameters n, to, t. 

The paper is organized as follows. Section 2 provides basic definitions, no- 
tations, theory needed and a quick review of recent construction. In Section 3 
we prove the composition theorem. Section 4 provides modified Zhang-Zheng 
construction and some theorems to prove its advantage over Cheon construc- 
tion. Section 5 provide some definitions and theory needed in that section. It 
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also provides a construction by which we get (n, to, f)-resilient S-box with non- 
linearity greater than the nonlinearity obtained in [12] which is known to be 
best till date. In Section 6 we compare modified Zhang-Zhang construction with 
Cheon construction, and also compare Construction-I of Section 5 with Pasalic 
and Maitra construction [12]. Section 7 concludes this paper. 

2 Preliminaries 

This section has four parts. We cover preliminaries on Boolean functions and 
S-boxes in Sections 2.1 and 2.2 respectively. In Section 2.3, we mention the 
coding theory result that we require. In Section 2.4, we summarize the previous 
construction results. 

2.1 Boolean Functions 

Let 7*2 = GF( 2). We consider the domain of a Boolean function to be the vector 
space (Fg, ®) over F%, where ® is used to denote the addition operator over both 
F 2 and the vector space F.f . The inner product of two vectors u. v 6 F g will 
be denoted by (u,v). The weight of an n-bit vector u is the number of ones in 
u and will be denoted by wt(u). The (Hamming) distance between two vectors 
x = (#i, # 2 , • • • , x n ) and y = ( 2 / 1 , 2/2 > • • • > Vn) is the number of places where they 
differ and is denoted by d(x, y). The Walsh Transform of an to- variable Boolean 
function g is an integer valued function W g : (0,l} m -4 [— 2 m ,2 m ] defined by 
(see [9, page 414]) 

w 9 iu)0 ]T (-1)^)©^4 (1) 

weF™ 

The Walsh Transform is called the spectrum of g. The inverse Walsh Transform 
is given by 

(- 1 ) 9( “ ) = 2 L E (2) 

■wEF™ 

An to- variable function is called correlation immune of order t (t-Cl) if W g (u) = 
0 for all u with 1 < vjt(u) < t [17, 19]. Further the function is balanced if and 
only if W g ( 0) = 0. A balanced t-CI function is called t-resilient. For even n, an 
n-variable function / is called bent if Wf(u) = ±25 , for all u £ F£ (see [14]). 
This class of functions is important in both cryptography and coding theory. 

A parameter of fundamental importance in cryptography is the non-linearity 
of a function (see [9]). This is defined to be the distance from the set of all affine 
functions. It is more convenient to define it in terms of the spectrum of a Boolean 
function. The non-linearity nl(f ) of an n-variable Boolean function /, is defined 

For even n, bent functions achieve the maximum possible nonlinearity. 
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A Boolean function g can be uniquely represented by a multivariate poly- 
nomial over F 2 . The degree of the polynomial is called the algebraic degree or 
simply the degree of g. 


2.2 S-Boxes 

An (n, m) S-box (or vectorial function) is a map / : {0,1}" — > (0, 1} TO . Let 
/ : (0, 1}" {0, 1} TO be an S-box and g : {0, l} m — »• {0, 1} be an m-variable 

Boolean function. The composition of g and /, denoted by g o f is an n- variable 
Boolean function defined by ( gof)(x ) = g(f(x)). An ( n,m ) S-box / is said to be 
t-CI, if go f is t-CI for every non-constant m-variable linear function g (see [20]). 
Further, if / is balanced then / is called t-resilient. ( The function / is said to 
be balanced if g o f is balanced for every non-constant m-variable linear function 
g ). By an ( n,m,t ) S-box we mean f-resilient (n,m) S-box. Let / be an (n, m) 
S-box. The nonlinearity of /, denoted by nl(f), is defined to be 

nl(f) = min {nl(g o /) : g is a non-constant m-variable linear function }. 
Similarly the algebraic degree of /, denoted by deg(f), is defined to be 
deg(f) = min {deg(g o /) : g is a non-constant m-variable linear function }. 
We will be interested in (n, m) S-boxes with maximum possible nonlinearity. 
If n = m, the S-boxes achieving the maximum possible nonlinearity are called 
maximally nonlinear [6]. If n is odd, then maximally nonlinear S-boxes have 
nonlinearity 2" _1 — 2 “ 2 “. For even n, it is possible to construct (n, rn) S-boxes 
with nonlinearity 2" _1 — 2 2 , though it is an open question whether this value is 
the maximum possible. 

An (n,m) S-box with nonlinearity 2" _1 — 2t _1 is called perfect nonlinear 
S-box. Nyberg [10] has shown that perfect nonlinear functions exist if and only 
if n is even and n > 2m. For odd n > 2m, it is possible to construct S-boxes 
with nonlinearity 2" _1 — 2 “a - . 

If we fix an enumeration of the set {0,1}", then an (n, m) S-box / is uniquely 
defined by a 2" x m matrix Mf. Given a sequence of S-boxes / 1 , ■ ■ ■ , /*; where 
fi is an (rij, m) S-box we define the concatenation of / 1 , • • • , /*, to be the matrix 


'M/i 



Mf k 


If 2" 1 H — • + 2" fe = 2" for some n, then the matrix M uniquely defines an (n, m) 
S-box /. In this case we say / is the concatenation of . ■ ■ • , /) c . 


2.3 Coding Theory Results 

We will use some standard coding theory results and terminology all of which 
can be found in [9]. An [n,k,d\ binary linear code is a subset of Tf which is 
a vector space of dimension k over F 2 having minimum distance d. We here 
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mention the Griesmer bound (see [9, page 546]). For an [n,k,d\ linear code let 
N(k, d) = length of the shortest binary linear code of dimension k and minimum 
distance d. 

The Griesmer bound states (see [9, page 547]) 

j. (3) 

We say that the parameters n, k, d satisfy the Griesmer bound with equality if 
n = Eto \4 C \- There is a general construction (see [9, page 550]) which gives 
large class of codes meeting the Griesmer bound with equality. Given d and k , 
define s = and d = s2 k ~ 1 — i 2“’ _1 where k > u\ > ■ ■ ■ > u p > 1. 

Given d and k, there is an [n = s(2 k — 1) — i(2“‘ — 1), k, d\ code meeting the 

Griesmer bound with equality if u . < ( see ^ pa g e 552]). This 

condition is satisfied for most values of d and k. 


2.4 Some Recent Constructions 

Here we summarize the previous construction results. 

1. Zhang and Zheng [20]: This is the first paper to provide an elegant general 
construction of nonlinear resilient S-boxes. The main result proved is the 
following [20, Corollary 6]. If there exists a linear (n, to, t)-resilient function, 
then there exists a nonlinear (n, to, t)-resilient function with algebraic degree 
(to — 1) and nonlinearity > (2” _1 — 2 n_i ?). 

2. Kurosawa, Satoh and Yamamoto [8, Theorem 18]: For any even l such that 
l > 2 to, if there exists an ( n—l , to, f)-resilient function , then there exists an 
(n, to, t)-resilient function, whose nonlinearity is at least 2 n ~ 1 — 2 n ~^~ 1 . 

3. Johansson and Pasalic [7]: They use a linear error correcting code to build 
a matrix A of small affine functions. Resiliency and nonlinearity is ensured 
by using non-intersecting codes along with the matrix A. The actual non- 
intersecting codes used were obtained by a heuristic search technique. It 
becomes difficult to carry out this search technique for n > 12. 

4. Pasalic and Maitra [12]: They use the matrix A of the previous method (3) 
along with highly nonlinear functions for their construction. The nonlinearity 
obtained is higher than the previous methods, except in certain cases, where 
the search technique of (3) yields better results. 

5. Cheon [4, Theorem 5]: Uses linearized polynomial to construct nonlinear 
resilient function. The nonlinearity calculation is based on Hasse-Weil bound 
for higher genus curves. The main result is the following. If there exists 
[n, to, t] linear code then for any non-negative integer D there exists a (n+D+ 
1, to, t— l)-resilient function with algebraic degree D and nonlinearity at least 
(2 n+D — 2 n \\/2 n+D+1 \ + 2 n ~ 1 ). To date, this is the only construction which 
provides ( n , to, t) nonlinear resilient S-boxes with degree greater than m. 
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3 A Composition Theorem for 5-boxes 

We consider the composition of an (n, m) S-box and an to- variable Boolean 
function. The following result describes the Walsh Transform of the composition. 

Theorem 1 . Let f : ( 0 , 1 }” —> ( 0 , l} m and g : ( 0 , l} m — > ( 0 , 1 }. Then for any 
w e F% , 

= E E W g {v)W (lv0f) {w) 

veF™ 

where l v = (v,x) and ( l v o f)(x) = ( v,f(x )) . 

Proof. By Equation 2 , we have (— 1)®0) = E ^ W g {w)(—T) <w,x> . 

w£F™ 

Hence , 

( _i)( 9 °/)(x) = (_!)<?(/(*)) = ± £ w g ( V )(-i)^m 

m veF™ 

= i E ^(*)(' 1 ) ll ' 0/)( ’ ) - 

By Equation 1 , we have 

Wgof(w) = (-1 )( 3 °/)(*)®<^> = W g (v)(- 

xeF " xeF" oer™ 

= 9 1 E w w e (-i)^ 0 ^)®^ = E ^ w g (v)w (lv 0 f) (w) □ 

t>£Ff x£F“ veF™ 

Corollary 1. Let f : ( 0 , 1 }" -» ( 0 , 1 } TO be a balanced S-box. Let g be an in- 
variable Boolean function. Then (g o /) is balanced if and only if g is balanced. 

Proof. Since / is balanced, IT(; tj0 /)(u>) = 0 for all nonzero v £ F™. 

Thus W gof ( 0 ) = £^( 0 ) 2 "* = w g ( 0 ). □ 

Remark: It is possible for ( g o /) to be balanced even when either only / is 
unbalanced or both / and g are unbalanced. We present examples for these cases. 
Let / : { 0 , l} 3 — t { 0 , l} 2 be an unbalanced S-box and /i, fa are component 
functions. 

(a) Let fi{xi,X2,xof) = xi ® ® x\x^ ® 2:12:22:3 and fa(xi,X2,X3) = 

X2 ® X1X2 ©X2X3 ® X1X3 ©X1X2X3 and <7(2:1, 2:2) = xi©X2- Here / is unbalanced 
but g is balanced. Observe (g o f)(xi, X2, X3) = /1 (2; 1, 2:2, 2:3) © fa(xi, X2, X3) = 
xi © X2X3 is balanced. 

(b) Let /i(xi,X2,X3) = X3 © X1X2 © X1X2X3 and fa(xi,X2,X3) = X2 © 2:3 © 
X1X2 © X2X3 © X1X2X3 and g(x 1, X2) = 2:12:2. Here both / and g are unbalanced. 
Observe (<70/) (3:1, 2:2, 2:3) = fi(xi,X2,X3)fa(xi,X2,X3) = 2:3, which is balanced. 

Theorem 1 and Corollary 1 provide the following theorem. 
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Theorem 2. Let f be a t-resilient S-box and g be any arbitrary Boolean function 
then ( g o /) is t-CI. Further (g o /) is t-resilient if and only if g is balanced. 

Theorem 2 shows that correlation immunity of an (n, to, t)-resilient S-box is 
preserved under composition with an arbitrary m-variable Boolean function. 
This is an important security property for the use of resilient S-boxes in stream 
cipher design. 

4 Construction of (n, ra, t)-Resilient S-Box 
with Degree > ra- 
in this section we modify an elegant construction by Zhang and Zheng [20] 
to obtain high degree nonlinear resilient S-boxes. The following result is well 
known(see for example [20]). 

Theorem 3. Let C be a [n, to, t + 1] binary linear code. Then we can construct 
an linear (n,m,t) -resilient function. 

Modified Zhang-Zheng (MZZ) Construction. 

— Inputs: Number of input columns = n, number of output columns = to, 
degree = d>m and resiliency = t. 

— Output: An (n, to, t) -resilient function having degree d and nonlinearity 

2 n-l _ 


Procedure 

1. Use an [n, d + 1, t + 1] code to obtain an (n, d + 1, f)-resilient function /. 

2. Define g = Gof, where G : (0, l} d+1 — > {0, l} d+1 is a bijection and deg(G) = 

d, nl(G) >2 d - 2L^J [11], Then nl{g) > 2 n ~ d ~ 1 (2 d - = 2 n ~ x - 

2 n ~ T^l and deg(g) = d [20, Corollary 6]. 

3. Drop (d + 1 — to) columns from the output of g to obtain an (n, to, t)-resilient 
function with degree d and nonlinearity 2 n ~ 1 — 2 n ~r d t 1. 

Remark: For Step 2 above, there are other bijections by which we get the same 
value of rd(G) but deg(G) = d is achieved only for G obtained from the inverse 
mapping r : GF(2 d+1 ) ->• GF(2 d+1 ), with t(x) = x~ x [6]. 

The modification to the Zhang-Zheng construction is really simple. If we 
want degree d, then we start with an [n, d + 1, t + 1] code. Then we apply the 
main step of Zhang-Zheng construction to obtain a nonlinear S-box. Finally we 
drop d + 1 — to output columns to obtain an (n, to, t)-resilient S-box. Though 
simple, this modification is powerful enough to improve upon the best known 
construction with high algebraic degree [4] . This shows the power of the original 
Zhang-Zheng construction. Our contribution is to prove by an application of the 
Griesmer bound that the MZZ construction is superior to the best known con- 
struction [4, Cheon]. We know of no other work where such provable comparisons 
of construction has been presented. 
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Theorem 4. Let n, m, d, t be such that the following two conditions hold. 

1. Either (a) d < m or (b) d > m > log 2 (f + 1). 

2. The parameters n, d + 1, t + 1 meet the Griesmer bound with equality. 

Then it is not possible to construct an (n,m,t) -resilient function f with degree 
d using Cheon [4] method. 

Proof. Recall the Cheon construction from Section 2.4. Given any [N, M, T + 1] 
and a non negative integer D, the Cheon construction produces an (N + D + 
1,M, T)-resilient function with degree D. Thus if / is obtained by the Cheon 
construction we must have n = N + D + l,m = M,t = T and d = D. 

This means that an [n — d — 1, m, t + 1] code will be required by the Cheon 
construction. Since the parameters n, d + 1, t + 1 satisfies Griesmar bound with 
equality we have n = 

Claim: If (a) d < m or (b) d > m > log 2 (t + 1) then n — d — 1 < • 

Proof of the Claim: Since n = J2i=o f^rl we have that n—d- 1 < if 

and only if Yli = o — d— 1 < PJ 1 ] . If d < to, then the last mentioned 

condition is trivially true. So suppose d > m > log 2 (t + 1). Then the above 
inequality holds if and only if 1 < d + 1. Since m > log 2 (i + 1), 

Pi§r~] = d — m + 1 < d + 1 for to > 1. This completes the proof of the 

claim. 

Since n — d— 1 < s the parameters n — d-l,m,t + l violate the 

Griesmer bound and hence an [n — d — 1, m, t + 1] code do not exist. Thus Cheon 
method cannot be used to construct the function /. □ 

The following result is a consequence of Theorem 4 and the MZZ construc- 
tion. 

Theorem 5. Let n, m, d, t be such that the following two conditions hold. 

1. Either (a) d < m or (b) d>m> log 2 (f + 1). 

2. An [n, d+ l,t+ 1] code meeting the Griesmer bound with equality exist. 

Then it is possible to construct an (n,m,t)-resilient function f with degree d by 
the MZZ method which cannot be constructed using Cheon [4] method. 

Remark: As mentioned in [9, page 550] there is a large class of codes which meet 
the Griesmer bound with equality. Further, the condition d> m> log 2 (t+ 1) is 
quite weak. Hence there exists a large class of (n, to, tj-resilient functions which 
can be constructed using MZZ construction but cannot be constructed using 
Cheon [4] construction. See Section 6 for some concrete examples. 

Nonlinearity in Cheon method is (2 N+D — 2 JV ]_-^A‘+.D+tJ 2 n_1 ) (see item 

5 of Section 2-4 ) which is positive if D > N+ 1 for N > 2. So for D < N, Cheon 
method do not provide any nonlinearity. Thus Cheon method may provide high 
algebraic degree but it does not provide good nonlinearity. In fact, in the next 
theorem we prove that nonlinearity obtained by MZZ method is larger than 
nonlinearity obtained by Cheon method. 
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Theorem 6. Let f be an (n, to, t) -resilient function f of degree d and nonlinear- 
ity ni constructed by Cheon method. Suppose there exists a linear [n, d+l,t+l] 
code. Then it is possible to construct an (n,m,t) -resilient function g with degree 
d and nonlinearity n-i using MZZ method . Further ri 2 >n\. 

Proof. Since [n, d + l,t + 1] code exists, the MZZ construction can be ap- 
plied to obtain an (n, to, t)-resilient function g with degree d and nonlinearity 
nl{g) = ri 2 = 2 n ~ 1 — 2”~r-5“l . It remains to show that ri 2 > ni, which we show 
now. Recall ni = 2 n_1 — 2 n ~ d ~ 1 \\/2f l \ + 2 n ~ d ~ 2 . Hence ri 2 — ni > —2 n ~^F + 
2" d i y 2 aj _ 2 n ~ d ~ 2 . Thus we have n 2 > m if -2 + 2“( d+1 ) - 

2~ (d+ 2 ) > g 'j'lie last condition holds if and only if > 2 d+1 ( } +1 + 2 / +2 ). 

So ri 2 > ni if \/2" — 1 > 2^ +2 _1 . i.e. if 2^ > 2^ + 1- Again the last condition 
hold for 1 < d <n — 3. Hence r *2 > «i for 1 < d < n — 3. The maximum possible 
degree of an S-box is n — 1. For d = n — 1 and d = n — 2, Cheon construction 
requires [0, m, t + 1] and [1, m, t + 1] codes respectively. Clearly such code do not 
exist. Hence ri 2 > ri\ holds for all d. □ 

Lemma 1. Let f be an ( n , m, t) -resilient function f of degree d>m constructed 
by Cheon method and m > log 2 (t+ 1). Then the parameters n,d+l,t + l satisfy 
the Griesmer bound. 

Proof. Since / has been obtained from Cheon method, there exists an [ n — d — 
1, m, t + 1] code. Hence the parameters n — d — 1 , rn and t + 1 satisfy the Griesmar 
bound. Since n—d—1, m and t+1 satisfy the Griesmar bound we have n—d—l > 
i-e. we have n > d+ 1 + SHo^'isrl- As to > log 2 (t+ 1) we have 
r^l = 1 for i > to. Hence n > {d+l)-(d-m+l)+J2f =m mr~\ +SHo 1 r^l- 
This shows n > to + Yli=o\^ 2 r~\ an< i consequently n > Yli= oT^l- Thus the 
parameters n, d + 1, t + 1 satisfy the Griesmer bound. □ 

Remark: Since the parameters n,d+ 1 and t+l satisfy the Griesmer bound, 
in most cases it is possible to obtain an [n, d + 1, t + 1] code (see [9, page 550]) 
and apply Theorem 6. In fact we do not know any case where a function can be 
constructed using the Cheon method but not by the MZZ method. Theorems 5 and 
6 prove the clear advantage of the MZZ method over the Cheon construction. 
Thus MZZ method is the currently known best method to construct [n,m,t]- 
resilient function with degree d> to. 

5 A Construction to Obtain High Nonlinearity 

In this section we concentrate on obtaining (n, to, f)-resilient S-boxes with high 
nonlinearity only. We present a construction method which improves the non- 
linearity obtainable by the previously known methods. We start by mentioning 
the following result which is restatement of Lemma 7 in [7]. 

Theorem 7. Let C be a [u, to, t + 1] code. Then it is possible to construct (2 m — 
1) x to matrix D with entries from C, such that, {ci-D^i ® • • ■ ® c m D* im : 1 < 
i < 2 m — 1} = C \ {(0, • • • , 0)} for each nonzero vector (c\, ■ ■ ■ , c TO ) £ F™. 
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Let D be the matrix in Theorem 7. For (1 < i < 2 m - 1) and (1 < j < m) 
define a u-variable linear function Ljj(x i, • • • , x u ) = {Dij, (xi, ■ ■ ■ , x u )). Given 
the code C we define a (2 m — 1) x m matrix L(C) whose entries axe it-variable 
linear functions by defining the i. j th entry of L(C) to be L it j(x i, • • • ,x u ). We 
have the following result which follows directly from Theorem 7. 

Proposition 1. Let c £ F™ be a nonzero row vector. Then all the entries of 
the column vector L(C)c T are distinct. 

For positive integers k, l with k < l, we define L(C, k, l) to be the submatrix of 
L(C) consisting of the rows k to l. Thus L(C, 1, 2 m — 1) = L(C). Let G(yi, ■ ■ ■ , y p ) 
be a (p,m) S-box whose component functions are G\, ■ ■ ■ , G rn . We define G ® 
L(C, k , l) to be an (l — k + 1) x m matrix whose i,j th entry is Gj (j/i, • • • , y p ) ® 
ij(xi, ■ ■ ■ , x u ) for 1 < i < l — k + 1 and 1 < j < m. If l — k + 1 = 2 r for 
some r then G ffl L(C, k, l) defines an S-box F : {0, l} r +J>+« — {0, l} m in the 
following manner. 

Fj(zi,--- ,z r ,yi,--- ,y P ,xi,--- ,x u ) = Gj |§i , • • ■ , y p ) ® L k+i _ 1J (x 1 , ■ ■ ■ , x u ) 

where 1 < j < m, 1 < i < 2 r , F\, ■ ■ ■ , F m are the component functions of F and 
Z\ ■ ■ ■ z r is the binary representation of i — l. By F = G(B L(C. k, l) we will mean 
the above representation of the S-box F. Note that the function F is t-resilient, 
since each Li.j(x\.- ■ ■ is non- degenerate on at least (t + 1) variables and 
hence t-resilient. 

In the matrix M = G(yi, ■ ■ ■ , y p )®L(C, k, l) we say that the row L*,* of L(C) 
is repeated 2 P times. Let G(yi, - ■ ■ ,y p ) and H(y 1 , - ■ ■ ,y q ) be (p, m) and (q,m) 
S-boxes respectively and Mi = G®L(C,k,l), M 2 = H ® L(C,k,l). Then we say 
that the row of L(C), (k < i < l) is repeated a total of 2 P + 2 9 times in the 
matrix [Mi M 2 ] T . 

Proposition 1 has also been used by [12] in the construction of resilient S- 
boxes. However we improve upon the construction of [12] by utilizing the follow- 
ing two ideas. 

1. We use all the 2 m — 1 rows of the matrix L(C). In contrast, [12] uses at most 
2 m “i rows of L(C). 

2. We allow a row of L(C) to be repeated 2 ri or 2 ri + 2 r2 or 2 ri + 2 r2 + 2 ra 
times as required. On the other hand, the number of times a row of L(C) can 
be repeated in [12] is of the form 2 r . 

It turns out that a proper utilization of the above two techniques result in 
significant improvement in nonlinearity. We will require (r, m) S-boxes with very 
high nonlinearity. For this we propose to use the best known results which we 
summarize in the following definition. 

Definition 1. Let G be an ( r, to ) S-box satisfying the following. 

1. If r < m, G is a constant S-Box. 

2. If to < r < 2m, G is a maximally nonlinear S-Box [6]. 

3- If r > 2 to and r is even, G is a perfect nonlinear S-Box [11]. 

4- If r > 2 m and r is odd, G is concatenation of two perfect nonlinear S- 
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Boxes (see Section 2.2). 

Then we say that G is a PROPER S-hox. 

The following result summarizes the best known results on the nonlinearity 
of PROPER S-boxes. 

Proposition 2. Let G he an (r, m) PROPER S-hox. Then 

1. If r <m, nl(G) = 0. 

2. If m<r < 2m, then nl(G) = 2 r ~ 1 — 2TT if r is odd and nl(G) > 2 r ~ 1 — 2? 
if r is even. 

3. If r > 2m, then nl(G) = 2 r ~ 1 — 2S _1 if r is even and nl(G) = 2 r ~ 1 — 2 ^ if 
r is odd. 

Now we are in a position to describe a new construction of resilient S-boxes. 
The construction has two parts. In Part-A, we compute the number of rows of 
L(C) to be used and the number of times each row is to be repeated. The out- 
put of Part-A is a list of the form list = {(ni,R{), (ri 2 , T? 2 ) , • • • , (n^, Rk)) which 
signifies that n* rows of L{C) are to be repeated Ri times each. Part-A also 
computes a variable called effect which determines the nonlinearity of the S-box 
(see Theorem 8). In Part-B of the construction, we choose PROPER functions 
based on list and describe the actual construction of the S-box. 

Construction-I 

1. Input: Positive integers (n,m) and t. 

2. Output: A nonlinear (n, m, tj-resilient S-box F. 

Part-A 

1. Obtain minimum u such that [u, m, t + 1] code C exists. 

2. Case: n — u < 0 , then function cannot be constructed using this method. 
Hence stop. 

3. Case: n-u> 0 

(a) 0 < n - u < m; list = (( 2 n ~ u , 1)) and effect = 1. 

(b) m < n - u < 2m - 1; list = {(2 m -\ 2 «-«-™+ 1 )) 
and effect= 2 n ~ u ~ m+1 . 

(c) n — u= 2m — 1; list = ((2 m-1 ,2 m )) and effect= 2 Lid +1 . 

(d) 2m <n — u< 3m. 

(i) n — u = 2m + 2e; m even; 0 < e < 

list = ((1, 2 m+2e+1 ), (2 m - 2, 2 m+2e )) and effect= 2 e+1 +T. 

(ii) n—u = 2 to + 2e + 1; m even; 0 < e < W — 1; 

• 0<e<f-2; 

list = ((2, 2 m+2e+1 + 2 2e+1 + 2 2e ), (2 m - 3, 2 m+2e+1 + 2 2e+1 )) 
and effect= 2 2e+1 + 2 2e + 2 e+1+ ^. 

• e = y — 1; list = ((2 m_1 , 2 m )) and effect= 2 m . 

(iii) n — u= 2m + 2e + 1; m odd; 0 < e < |_yj — 1; 

list = ((1, 2 m+2e + 2 ), (2 m - 2, 2 m + 2e+1 )} and effect= 2 2ri± ^ ±1 . 

(iv) n — u = 2m + 2e; m odd; 0 < e < |_^J ; 
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list = ((2 m - 2, 2 m+2e + 2 2e+1 ), (1, 2 2e + 2 )) 
and effect= 2 2e+1 + 

(v) n — u = 3 to — 1; to odd; 

list = ((2 m_1 ,2 2m )) and effect= 2 m . 

(e) n — u> 3m. 

(i) n — u = 3 to + 2e + 1; e > 0; 

list = ((2 m_1 , 2 2m+2e + 2 )) and effect= 2 m+e+1 . 

(ii) n — u = 3 to + 2e; (m even; e > or (m odd; 0 < e < |_y_|); 

= ((2, 2 2m+2e + 2 m+2e + 2 m+2e " 1 ), (2 m - 3, 2 2m+2e + 2 m+2e )) 
and effect= 2 m+e + 2 e+1+ T. 

(iii) n — u= 3 m + 2e; to even; 0 < e < y 

list = ((2 m - 2, 2 2m+2e + 2 m+2e+1 ), (1, 2 m + 2e + 2 )) 
and effect= 2 m+e + 2 e+1 +?. 

(iv) n — u = 3 to + 2e; to odd; e > 

list = ((2 m - 2, 2 2m+2e + 2 m+2e+1 ), (1, 2 m + 2e + 2 )) 
and effect= 2 m+e + 2 e+m ^ L . 


Part-B 

1. If list = {(2 s , 2 r )); 

• Obtain L(C, 1,2 s ) from L(C) by selecting first 2 s rows of L(C). 

• Let G be an (r, to) PROPER S-box. 

• Define F = G®L(C, 1,2 s ). 

• This covers cases 3.(a),(b),(c),(d)(ii) second item, (d)(v) 
and e(i) of Part-A. 

2. Case: 3(d)(i) of Part-A 

• Let Gi and G 2 be (to + 2e + 1, to) and (to + 2e, to) PROPER S-boxes. 

. Define F\=G\ 0 1,(0, 1, 1), F 2 = G 2 © L(C, 2, 2 m - 1) . 

• F is the concatenation of F\ and F 2 • 

3. Case: 3(d) (ii) first item of Part-A and e = 0 

• Let Gi and G 2 be (rn + l,m) and (l,m) PROPER S-boxes. 

• Define F 1 = G 1 ® L(C), F 2 =G 2 0 L(C), F 3 = L(C, 1, 2) . 

• F is the concatenation of Fi , F 2 and F 3 . 

4. Case: 3(d) (ii) first item of Part-A and e ^ 0 

• Let Gi, G 2 and G 3 be (to+ 2e+ l,m), (2e+ l,m) and (2 e, to) PROPER 
S-boxes. 

. Define F t = G 1 ® L{C), F 2 = G 2 0 L(C), F 3 = G 3 0 L(C, 1, 2) . 

• F is the concatenation of F \ , F 2 and F 3 . 

5. Case: 3(d) (iii) of Part-A 

• Let Gi and G 2 be (to + 2e + 2, to) and (to + 2e + 1, to) PROPER S-boxes. 

• Define F 1 =G 1 ® L{C, 1, 1), F 2 = G 2 ® L(C, 2, 2™ - 1) . 

• F is the concatenation of Fi and F 2 . 

6. Case: 3(d)(iv) of Part-A 

• Let Gi, G 2 and G 3 be (to + 2e, to), (2e + 2, to) and (2e + 1 , to) PROPER 
S-boxes. 

. Define F 1 =G 1 ® L(C, 1, 2 m - 2), F 2 = G 2 0 L(C, 2 m - 1, 2 m - 1), 
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F 3 = G 3 ®L(C, l,2 m -2) . 

• F is the concatenation of F \ , and F 3 . 

7. Case: 3(e) (ii) of Part- A 

• Let G i, G 2 and G 3 be (2m + 2e, m), (to + 2 e, to) and (m + 2e — 1, to) 
PROPER S-boxes. 

. Define F 1 =G 1 ® L(C), F 2 = G 2 © L(C), F 3 = G 3 © L(C, 1, 2) . 

• F is the concatenation of 7) , F 2 and F 3 . 

8. Case: 3(e) (iii) and 3(e) (iv) of Part-A 

• Let Gi, G 2 and G 3 be (2 to + 2e, to), (to + 2e + 2 , to) 
and (to + 2e + 1, to) PROPER S-boxes. 

• Define F 1 = Gi ® L(C, 1, 2 m - 2), F 2 = G 2 ® L(C, 2 m -l,2 m - 1), 

F 3 = G 3 ®L(C, l,2 m -2) . 

• F is the concatenation of F \ , F2 and F3 . 

Theorem 8. Construction-I provides a nonlinear (n,m,t) -resilient S-box with 
nonlinearity = (2" _1 — 2“ _1 x effect,), where effect is as computed in Part-A. 

Proof. There are several things to be proved. 

(a) The output function F is an (n, to) S-box. (b) F is f-resilient. (c) nl(f ) = 
(2" _1 — 2 U ~ 1 x effect). 

Proof of (a) The output of Part-A is a list = ((ni, ify), ( n 2 , R 2 ),- ■ ■ , (rife, Rt- ))■ 
Part-B ensures that for 1 < i < k, n* rows of L(C) are repeated F, times each. 
It is easy to verify that in each case of Part-A we have JT=i F-R,; = 2 n ~ u . Since 
each row L h « of L(C) defines a (u, to) S-box, ultimately F is an (n, to) S-box. 
Proof of (b) Each row L i:t of L(C) defines a f-resilient (it, to) S-box. F is formed 
by concatenating the rows of L{C ) one or more times. Hence F is f-resilient. 
Proof of (c) The nonlinearity calculation is similar for all the cases. As an ex- 
ample, we perform the calculation for Case 3(e)(ii). In this case, Part-A com- 
putes list = ((2, 2 2m+2e + 2 m+2e + 2 m+2s ~ 1 ),(2 m - 3, 2 2m+2e + 2 m+2e )). Let 
R 1 = 2 2m+2e + 2 m+2e + 2 m+2e_1 and R 2 = 2 2m+2e + 2 m+2e . Rows Fi,* and 
F2,* of L{C) are repeated R\ times each and each of the rows L-y* to L 2 m_i^ is 
repeated R 2 times each. Part-B uses three PROPER functions G 1 , G 2 and G 3 
to construct S-boxes Fi , F 2 and F 3 respectively. F is the concatenation of Fi , F 2 
and F 3 . We have to show that if v is a non constant to- variable linear function 
and A is an n-variable linear function, then d( v oF,A) > (2 n ~ 1 — 2 u ~ 1 x effect). 
We write A as A(j/i, • • • ,y n -u> x 1, ■ • • , x u ) = Ai(yi, • • • ,y n - u ) © ^(xi, • • • ,x u ). 
Let u(zi, - ■ ■ ,z m ) = ((ci, • • • , c TO ), (zi, ■ ■ ■ , z m )) for some non-zero vector c = 
(ci, • • • , Cm) £ F™. The Boolean function v o F is a concatenation of Boolean 
functions v o Fi, v o F 2 and v o F 3 . For 1 < i < 2, v o Fi = {v o Gi) «© ( L(C)c T ) 
and v o F 3 = (v o G 3 ) © (L(C, 1, 2)c T ) . Using Proposition 1, we know that all the 
entries of the column vector L(C)c T are distinct w- variable linear functions. Let 
L(C)c T = [p 1 . • • • , p2 m — i] T - The function uoF is a concatenation of the /i,’s and 
their complements. Further, pi and p 2 are repeated R\ times and p 3 , • • • , p2 m -i 
are repeated R 2 times in the construction of v o F. If A ^ {p.\ , • • • , p 2 m -i} then 
d(\ 2 ,m) = 2 U ~ 1 for each 1 < * < 2 m - 1 and hence d{y o F, A) = 2 n ~ u {2 u ~ 1 ) = 
2" '. Now suppose A2 = p* for some i £ {1, • • • , 2 m — 1}. In this case d(u o F, A) 
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will be less than 2 n ~ 1 and the actual value is determined by the repetition factors 
R\ and i?2- There are two cases to consider. 

Case 1: X 2 = Hi or /i2- Without loss of generality we assume A2 = Hi, 
the other case being similar. Since A2 = Hi , we have d(X 2 ,Hi) = 2 U ~ 1 for 2 < 
i < 2 m — 1. The function /i '2 is repeated R\ times and each of the functions 
H 3, • • • , H 2 m -i is repeated i?2 times. So the total contribution of H 2 , /U3, • • • , H 2 m -i 
to d{voF, A) is 2“ -1 (f? 1 + (2 m — 3)i? 2 )- We now have to compute the contribution 
of Hi to d(voF, A). The function hi is repeated in v o F, i: by XORing with uoG t . 
Hence the contribution of Hi to d{F , A) is equal to 2 U (nl(u o G 1) + nl(u o G 2 ) + 
nl{v o G 3 )) = 2 u (nl(G 1 ) + nl(G 2 ) + nl(G 3 )) since nl(v o G t ) = nl(Gi). Each G* 
is a PROPER function whose nonlinearity is given by Proposition 2. 

Hence, d(uoF,X) = 2 u ~ 1 (R 1 + (2 m -3)R 2 + 2(nl(G 1 ) + nl(G 2 ) + nl(G 3 )) = 
2 u -i(2 n ~u - (R x - 2(nl(Gi) +nl(G 2 ) + nl(G 3 )))) = 2 n ~ x - 2““ 1 (R 1 - 2{nl{Gi) + 
nl(G 2 )+nl(G 3 ))). 

From the given conditions, it is easy to verify that effect = Ri — 2(nl(Gi) + 
nl(G 2 ) + nl(G 3 )) and so d{u o F, A) = ( 2 n ~ 1 - 2 U “ 1 x effect). 

Case 2: X 2 = Hi for some i e {3, • • • , 2 m — 1}. In this case we proceed as in 
the previous case to obtain d( v oF,X) = 2 u ~ 1 (2Ri + ( 2 m — 4 )R 2 ) + 2 u (nl(Gi) + 
nl(G 2 )) = 2 u ~ 1 (2Ri + {2 m - 4 )R 2 + 2{nl{Gi) + nl(G 2 )) = 2 u ~ 1 {2 n ~ u - R 2 + 
2(nl(G 1 ) + nl(G 2 )) = 2"- 1 - 2 - 2(nZ(Gi) + nl{G 2 ))) > 2"- 1 - 2““ 1 x 
effect, since effect = R\ — 2(nZ(Gi)+nZ(G2) + nZ(G3)) > R\ — 2(nZ(Gi) + nZ(G2)). 

By Case 1 and Case 2 above it follows that nl( v o F) = 2 n ~ 1 — 2 U ~ 1 x effect. 
Hence nl(F) = 2 n ~ 1 — 2“ _1 x effect. □ 

6 Results and Comparisons 

Here we compare the construction methods described in this paper to the known 
construction methods. 


6.1 Degree Comparison Based on MZZ Construction 

We present examples to show the advantage of the MZZ method over the Cheon 
method. Cheon method cannot construct (n, m, t)-resilient function of degree 
d > m > 2 if the following two conditions hold. 


ITI I |2 to 3 1 4 to 7|8 to 151 


2 > llm > 2 |to > 3|r 


(2) The parameters n, d + 1, t + 1 satisfy Griesmer bound with equality. 

We next present some examples of n, m, d and t satisfying condition (1) and (2) 
such that the MZZ method can be used to construct (n, m, f)-resilient function 
with degree d. 

(а) t = 1, 2 < m < d, n = d + 2. It is easy to check that a [d + 2, d + 1, 2] 
code exists. 

(б) t = 2, 2 < m< d, ( n,d ) = (6, 2), (7,3), (8,4), (9, 5), (10,6), (11, 7). In each 
case an [n, d + 1, t + 1] code exists. 
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Table 1. Comparison of nonlinearity obtained by MZZ Construction to that obtained 
by Cheon [4]. 


Function 

(10,3,1,5) 

(18,4,2,10) 

(24,5,2,15) 

(24,7,3,12) 

(28,6,4, 14) 

Cheon [4, Theorem 5] 

8 

2 it> + 2 m 

2Z A - 2™ + 2‘ 

2 iu 

2 12 

MZZ 

2 M - 2‘ 

2 1 ' - 2 rj 

2? A - 2 lb 

2 zi -2 U 

2 Z< - 2™ 


(c) f = 3, 2<m<d, ( n,d ) = (7, 2), (8, 3), (11,6), (12, 7), (13,8). In each case 
an [n, d + 1, t + 1] code exists. 

In (a) to (c) above an -resilient function with degree d can be con- 

structed using MZZ method, but cannot be constructed using Cheon method(see 
Theorem 5). Now we present some examples where both MZZ and Cheon method 
construct (n, to, t)-resilient function with degree d and compare their nonlinear- 
ity using Theorem 6. An ( n,m,d,t ) S-box is an (n, m, f)-resilient S-box with 
degree d. 

We see that in each case the nonlinearity obtained by the MZZ method is far 
superior to that obtained by the Cheon method. 


6.2 Nonlinearity Comparison Based on Construction-I 

We compare the nonlinearity obtained by Construction-I to the nonlinearity ob- 
tained in Theorem 4 of [12]. The nonlinearity obtained in [12] is better than the 
nonlinearity obtained by other methods. Hence we do not compare our method 
with the other methods. It is to be noted that in certain cases the search tech- 
nique of [7] provides better nonlinearity than [12]. 

Our first observation is that the nonlinearity obtained by Construction-I is 
at least as large the nonlinearity obtained in [12]. The intuitive reason is that 
we use all the rows of the matrix L(C) and hence the repetition factor is less 
than that of [12]. The detailed verification of the superiority of Construction-I 
over [12] is straightforward but tedious. In the next table we summarize the 
cases under which Construction-I yields higher nonlinearity than [12]. We list 
the different cases of Part-A corresponding to the different rows of the table. 


Table 2. Comparison of Construction-I nonlinearity with the nonlinearity of [12]. 
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( 1 ) Case 3(d) (ii)first item; ( 2 ) Case 3(d) (iv); ( 3 ) Case 3(d) (i) and Case 
3(d)(iii); ( 4 ) Case 3(d) (ii)first item; ( 5 ) Case 3(e)(iii), m > 2 and Case 3(e)(ii), 
m > 2; (6) Case 3(e) (iv), m> 1. 

In Tables 3 to 5 we provide some concrete examples of cases where the non- 
linearity obtained by Construction-I is better than that obtained by [12]. Each 
entry of Tables 3 to 5 is of the form (a, b) , where a is the nonlinearity obtained 
by [12] and b is the nonlinearity obtained by Construction-I. 

The linear codes used in Table 3 are [5, 4, 2], [7, 4, 3] and [8, 4, 4]. The 2nd, 4th, 
and 6th rows give the nonlinearity of (n, m, t)-resilient functions corresponding 
to the codes [5,4,2], [7,4,3] and [8,4,4] respectively for different values of n. 

The linear codes used in Table 4 are [6, 5, 2], [9, 5, 3] and [10, 5, 4]. 

The linear codes used in Table 5 are [7,6,2], [10,6,3] and [10,6,4]. 

Nonlinearity of (36, 8 , t) resilient S-box has been used as very important 
examples in [8, 7, 12]. Now we compare our nonlinearity with those. 

The results of [7] are not constructive. They show that resilient S-box with 
such parameter exist. Note that, except for resiliencies of order 1 and 3 our 
nonlinearity is better than nonlinearity of [12]. It should also be noted that in 
all the cases we provide construction with currently best known nonlinearity. 


Table 3. Comparison of Construction-I nonlinearity with [12] for m = 4 and resiliency 
= 1,2,3. 



Table 4. Comparison of Construction-I nonlinearity with [12] for m = 5 and resiliency 
= 1,2,3. 



Table 5. Comparison of Construction-I nonlinearity with [12] for m = 6 and resiliency 
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Table 6. Comparison of nonlinearity of (36, 8, t ) -resilient S-boxes using different meth- 
ods. 


t 

7 

6 

5 

4 

3 

2 

1 

[8] 

2 35 - 2 27 

2 3B - 2 27 

2 35 - 2 26 

2 36 - 2 25 

2 36 - 2 24 

2 36 - 2 23 

2 35 - 2 22 

[7] 

2 35 - 2 22 


2 S5 _ 2 23 

2 35 - 2 22 

2 35 - 2 22 

2 35 - 2 21 

2 35 - 2 21 

[12] 

2 35 - 2 25 

2 35 - 2 24 

2 35 _ 2 23 

2 36 - 2 23 

2 36 - 2 20 

2 36 - 2 20 

2 35 - 2 18 

Ours 

2 35 - 2 24 

2 36 - || 2 24 

2 35 - |§2 23 

2 36 - 2 22 

2 36 - 2 20 

2 35 - ^2 20 

2 35 - 2 18 

Codes 

[20, 8, 8] 

[19,8,7] 

[17,8,6] 

[16,8,5] 

[13, 8, 4] 

[12,8,3] 

[9, 8, 2] 


7 Conclusion 

In this paper we consider the construction of nonlinear resilient S-boxes. We 
prove that the correlation immunity of a resilient S-box is preserved under com- 
position with an arbitrary Boolean function. Our main contribution is to obtain 
two construction methods for nonlinear resilient S-boxes. The first construction 
is a simple modification of an elegant construction due to Zhang and Zheng [20] . 
This provides (n, m, t)-resilient S-boxes with degree d > m. We prove that the 
modified Zhang Zheng construction is superior to the only previously known 
construction [4] which provided degree d > m. Our second construction is based 
on concatenation of small affine function to build nonlinear resilient S-boxes. We 
sharpen the technique to construct (n, m, tj-resilient S-boxes with the currently 
best known nonlinearity. 
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Abstract. The enumeration of m-resilient Boolean functions in n vari- 
ables would be a quite useful information for cryptography. But it seems 
to be an intractable open problem. Upper and lower bounds have ap- 
peared in the literature in the mid 80's. Since then, improving them has 
been the goal of several papers. In this paper, we give a new upper bound 
which partially improves upon all the known bounds. 

Keywords: Cryptography, Stream cipher, Boolean function, Resilient 
function 


1 Introduction 

The principle of private cryptography relies on the share-out of a private key 
between the sender of a message and its receiver. Symmetric cryptosystems are 
commonly used owing to their efficiency. Currently, there is no mathematical 
proof to ensure the unconditional security of the system except for the famous 
Vernam [T^l scheme. This system produces the encoded text by adding bitwisely 
the plain text and the private key. Then the receiver retrieves the plain text by 
using the same addition of the encoded text and the private key. In practice, since 
the length of the private key must equal the length of the plain text, pseudo- 
random generators are used for stream ciphers in order to minimize the size of 
the private key (but the unconditional security is then no longer ensured). In 
order to achieve maximal security, these systems are much studied. 

The basic component of a keystream generator is the Linear Feedback Shift 
Register (LFSR). The generic example of a keystream generator is composed of 
n LFSR whose outputs are combined by a Boolean function from to F 2 . 
The security of the system relies, in a central way, on the choice of the Boolean 
function. Subsequently, the Boolean functions used to combine several LFSR, 
called combining functions, must fulfil several criteria. They must be balanced, 
i.e., they must take the value 1 and the value 0 with the same probability on 
the set F£. They must have high algebraic degrees (see definition at section 2) 
so that the keystream generator resists the Berlekamp-Massey’s attack p], The 
generator must also resist the Siegenthaler’s correlation attack jT2]. This comes 
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down to choose a combining function which is correlation-immune of a high order 
TO HU, ie, whose output distribution does not change when to input values 
(i.e., to coordinates of the input vector) are fixed. If the combining function is 
correlation-immune of order to, the attacker has to guess the initialization of 
at least to + 1 LFSR to observe a correlation between them and the output of 
the pseudo-random generator during a correlation attack. Combining functions 
must also have high non-linearities in order to prevent linear approximation. Of 
course these criteria are partially opponent and tradeoffs exist. 

Enumerating the Boolean functions satisfying one or several of these criteria 
is useful for several reasons. Firstly because it indicates for which values of the 
parameters (n, . . .) there is a chance of finding good cryptographic functions by 
random search. Secondly because a large number of functions is necessary if we 
want to impose extra constraints on the functions or if we want to modify the 
cryptosystems using them by having the function as part of the secret key. 

Mitchell 0 proposed a number of open problems with partial results about 
enumerating Boolean functions satisfying various criteria, including balanced- 
ness and correlation-immunity. The first bounds on the number of first order 
correlation-immune Boolean functions were lower bounds (see f/ll4l<Slbj l. In 
1990, Yang and Guo published the first upper bound on such functions. Park, 
Lee, Sung and Kim [S| proceeded further and improved upon Yang-Guo’s bound. 
In 1995, Schneider [[0] used a new idea to improve upon previous bounds. He 
obtained bounds for the numbers of mth-order correlation-immune functions and 
of TO-resilient functions. Carlet and Klapper Q obtained a general upper bound 
on the number of Boolean functions whose distances to affine functions are all 
divisible by 2 TO . They deduced an upper bound on the number of TO-resilient 
functions and improved upon Schneider’s bound for to large. 

In the present paper, we obtain an upper bound on m-resilient functions 
(to > j — 1), and improve upon Schneider’s bound for all values m > j — 1. 
We show with tables of values that our bound partially improves upon Carlet- 
Klapper’s bound (the expressions of both bounds seem difficult to compare math- 
ematically). 

The organization of the paper is as follows. Section 2 introduces the nota- 
tion and the definitions that are needed in the paper including the definition of 
correlation-immunity. Section 3 reviews the previous upper bounds on the num- 
bers of first order correlation-immune functions, i.e., Yang et al’s and Park et 
al' s bounds, and of m-resilient functions, i.e., Schneider’s and Carlet-Klapper’s 
bounds. Extensions of Yang et al.' s and Park et al.'s bounds are given for the 
case of 1-resilient functions in this section for the first one and in appendix 01 
for the second one. Section 4 introduces a new upper bound on the number of 
m-resilient functions. We give a table of values corresponding to the ratio of 
Schneider’s bound to the new bound, and a second table corresponding to the 
ratio of Carlet-Klapper’s bound to the new one. 
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2 Notation and Definitions 

Let n be any positive integer. We denote by 0 the usual addition in F 2 and 
in F 2 - The Hamming weight wh(u) of a word u in F 2 is the number of its 
components equal to 1. We denote by ^ the partial order on the words of F£ , 
i.e., (tii, • • • , ti n ) ^ (t;i, , «„) if and only if (ti» = 1) => (u, = 1). Any Boolean 
function f inn variables, / : F 2 1 — F 2 , admits a unique Algebraic Normal Form 
(A.N.F.): 

f( Xl ,...,x n ) = 0 a u (f[x T ) = 0 a u x u . 

The function g : u ha a u is called the Mobius transform of /. For any word u, 
the coefficient a u belongs to F 2 , and can be computed thanks to the formula 

a n= © /(«) • (!) 

veTF%,v±u 

The algebraic degree of a Boolean function / is the degree of its algebraic normal 
form. The Hamming weight wu(f) of a Boolean function f in n variables is 
the size of its support, i.e., the size of the set {x G F 2 |/(x) = 1}. A Boolean 
function / inn variables is called balanced if its Hamming weight equals 2" _1 . 

Definition 1. HU Let X& = {X^ ] ,X^ ] , ...,X^ ] ) be the n-tuple of LFSR out- 
put digits at time j. The combining function f is mth-order correlation- immune 
if every m-tuple obtained by fixing m components from JfM is statistically in- 
dependent of the random value Z = f(Xi, X 2 , . . . , X n ) associated to arbitrary 
outputs of LFSR. 

A characterization of mth-order correlation-immune functions was given by Guo- 
Zhen and Massey in plj. 

Definition 2. Let f be a Boolean function in n variables. The Walsh Transform 
of f is defined as the following real-valued function over the vector space F 2 , 

/>) = E /( a; )(- 1 )“' x > 

•ueFj 

where u ■ x stands for J2i = 1 u i x i ■ 

Theorem 1. |3] A Boolean combining function f in n variables is mth-order 
correlation-immune, where 1 < m < n, if and only if for every word u in F 2 
such that 1 < wh(u) < m, f(u) equals 0, i.e., f{x) © u ■ x is balanced for all u 
such that 1 < wr{u) < m. 

A balanced Boolean function in n variables which is correlation-immune of order 
m is called m-resilient. This notion was considered for the first time by Chor et 
al. in 0. 

The tradeoff between the order of correlation-immunity and the algebraic 
degree was given by Siegenthaler. 
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Theorem 2. |T2] Let f be an mth-order correlation-immune Boolean function 
of degree d in n variables. Then d < n — m. Furthemore, if f is balanced then 
d<n — to — 1 if m <n — 1 and d = 1 if m = n — 1 . 

This result leads to the first obvious bound on the numbers of m-resilient and 
mth-order correlation-immune functions. The number of mth-order correlation- 
immune functions in n variables is upper bounded by 2^.=o ( < ) , and the number 
of m-resilient functions in n variables is upper bounded by 2^*=« (*) if m < 

n— 1. 

3 Previous Upper Bounds 

The number of mth-order correlation-immune Boolean functions is still unknown 
(an asymptotic formula is known, due to Denisov 0). The first upper bound 
on the number of correlation-immune Boolean functions, published by Yang and 
Guo in 1990 f I -1| . enumerates in fact the number of Boolean functions which 
satisfy partially the first order correlation-immunity criterion, i.e., the functions 
/ such that for two distinct integers i\ and i- 2 , f ® x ix and / ® x i2 are balanced. 
This leads to: 

Proposition 1. pn Let n be a positive integer greater than 1. The number of 
lst-order correlation-immune Boolean funtions in n variables is less than: 



Yang and Guo did not study the corresponding bound for 1-resilient functions. 
This can be done: 

Proposition 2. Let n be a positive integer greater than 1. The number of 1- 
resilient Boolean functions in n variables is less than: 



We give the proof of this bound in appendix El 

This work was deepened by Park, Lee, Sung and Kim for lst-order cor- 
relation-immunity. They showed that the number of correlation-immune func- 
tions is itself upper bounded by this same number as in Proposition El Park et 
al. obtained this bound by numbering the Boolean functions such that for three 
distinct integers i\, i 2 , * 3 , the functions / ® x. h , / ffi x i2 and / ® x l3 are balanced. 
They did not study the corresponding bound for 1-resilient Boolean functions. 
The bound obtained is quite complicated and is given in appendix El 

The number of balanced Boolean functions such that f(x) ® x-- t is balanced 
for three distinct integers could be calculated by considering the solutions of a 
system of four equations with eight unknowns. When the number of integers 
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increases by one, only one new equation can be obtained and the number of 
unknowns is doubled. Thus, enumerating the number of Boolean functions such 
that f(x ) ® Xi is balanced for i 6 I C (1, . . . , n} leads to considering |/| + 1 
equations and 2^ unknowns. Thus, for n greater than 3, the gap between the 
number of equations and the number of unknowns is too large to obtain a bound 
which can be computed easily. 

Maitra and Sarkar |5| found a sufficient condition for a function / to be such 
that f(x) ® Xi is balanced for three values of i but / is not first order correlation- 
immune. A lower bound on the number of such functions provides an upper 
bound on the number of mth-order correlation-immune functions by using the 
bound of Park, Lee, Sung and Kim. However, the formula given by Maitra and 
Sarkar cannot be computed and thus their bound cannot be compared to the 
other bound. 

Schneider proposed a new idea in 1990 for obtaining an upper bound on 
the number of mth-order correlation-immune Boolean functions, and an upper 
bound on m-resilient Boolean functions. In [HUJ, he presented an algorithm for 
producing all correlation-immune functions. This algorithm is not very efficient 
(the workfactor, if computed, could be comparable to the complexity of searching 
among all Boolean functions). But the idea of this algorithm allowed him to 
provide an enumeration which is quite efficient. 

Theorem 3. ^D| The number of m-resilient Boolean functions in n variables 
is less than: 



We can compare these three bounds by giving values in the 1-resilient case. It 
can be observed that Schneider’s bound is always better than Yang-Guo’s and 
Park et al.'s bounds for n > 4. The case n = 3 can be explained: the number 
of balanced Boolean functions such that f(x) ® x t is balanced for three distinct 
values of i is then exactly the number of 1-resilient functions. 

Carlet and Klapper obtained two bounds on the number of m-resilient func- 
tions, one for 2 < m < n/2 and the other one for n/2 < m < n. They improved 
upon Schneider’s bound for m large. 


Table 1. Values of previous upper bounds for first order resilient functions 


n 

YG (Resilient) 

PLSK (Resilient) 

Schneider 

3 

18 

8 

12 

4 

1810 

648 

840 

5 

4.4916 10 7 

1.1979 10 7 

1.081 10 7 

6 

7.0667 10 16 

1.3711 10 16 

6.498 10 15 

7 

4.6909 10 35 

6.5259 10 34 

1.191 10 34 

8 

5.6935 10 73 

5.6396 10 72 

2.8523 10 71 
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Theorem 4. |T| The number of m-resilient Boolean functions in n variables, 
n/2 < m < n, is less than: 

2 ij | rl (")(i + £ ) + 2 Er="o m_2 (?) 

aSTM 

Wflere 6 = 20^)^ • 

The number of m-resilient Boolean functions in n variables, 2 < m < n/2, 
is less than: 

2 e--( :) _ 2 e— m 
2 22m+1 - 1 + 

4 A New Bound for m-Resilient Functions 

Our improvement of Schneider’s bound is based on several ideas. One of them 
is to use more efficiently than Schneider does the bound on the degrees of m- 
resilient Boolean functions. Recall that, thanks to Siegenthaler’s theorem, we 
know that, for m < n — 1, the degree of an m-resilient function in n variables is 
less than or equal to n — m — 1 . 

Lemma 1. Let f be a Boolean function in n variables. If the algebraic degree 
of f is at most d, then f is completely determined by its values at the words 
u e F£ such that wh(u) < d. 

Proof. Consider the algebraic normal form of the function: 

/(*) = ® 9{u)x u , 

uew% 

where g is the Mobius transform of /. For every word u such that d < wh(u) < n, 
the coefficient g{u) is equal to zero, and thus: 

/(*) = ®« 6 if 2\w H (.u)<d9( u ) 

= ®ueW^\w H (.u)<d,u<x S( U ) 

= ©«eIFJ|tUff(u)<d,M^x (©uelF^lu^u /( w )) • 

Every v such that v <u where w H (it) < d has weight at most d. □ 

The number of Boolean functions of degrees less than n — m— 1 being neg- 
ligible in comparison with Schneider’s bound, we shall bound the number of 
m-resilient functions of degree exactly n — m — 1 and add the number of Boolean 
functions of degrees less than n — m—1. To this aim, we shall use a lemma which 
was first proved in [Q. But we shall need a slightly different statement of this 
lemma, with extra precisions that will be useful in our context. For this reason, 
we give a proof of the lemma. We first introduce a notation: 

Let u and v be two vectors in ; we denote by u A u the vector such that, 
for every index i, ( v A u)i = ViUi = min(uj, uf), i.e., and by v V u the vector such 
that, for every index i, (v V u)i = ma x(uj,Uj) (these two operations are called 
bitwise- AND and bitwise-OR). 
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Lemma 2. [T] Let f(x) = 0 u£]F „ a u xU be an m-resilient Boolean function in 
n variables of degree n — m — 1 > 2 with m> 2 and let 0, ueIF „ b u x u be the ANF 
of the function f(x) ® aq ® • • • ® x n (i.e. b u = a u if wh(u) >1 or if u = 0 and 
b u = a u ® 1 if w H (u) = 1). If u is a word in F£ of weight n — m—1 such that 
a u = 1 (i.e. b u = 1) then for all non-zero v in F£ such that v A u = 0, we have: 

K= © b.b, . 

S SAU% V 

Proof. We know (cf. P) that for every word x such that wh{x) > n — m, we 
have that b s b t = 0. We apply this to x = v V u. In the corresponding 

{s,t} |sVt=x 

relation, the coefficient b v appears with a non-zero coefficient only in the term 
b u b v since if b u > b v appears, then u' V v = x, so u ^ v! . We deduce: 

v®„' , ‘ 6 ' ' 

s,tj=v 

According to Siegenthaler’s inequality, the double condition that s V t = mV v 
and s,t ^ v implies, if b s ^ 0 and b t ^ 0, that sAu^O and t A u ^ 0 since u 
has weight n — m — 1. □ 

Theorem 5. Let n and m be two positive integers such that § — l<m<n — 2. 
The number of m-resilient functions of degree n — m — 1 in n variables is lower 
than: 



Thus, the number of m-resilient functions in n variables is lower than: 



The principle of the proof is to bound the number of different truth-tables of 
m-resilient functions of maximum degree (d = n — m — 1) by using the fact that 
some of their successive restrictions are balanced. The bound is then obtained 
by adding the number of Boolean functions of degrees at most n — m — 2 (which 
is negligible). 

Proof. According to Siegenthaler’s Theorem on the degrees of resilient functions 
and according to LemmaP we only need, when evaluating the number of possible 
truth tables of f (that is the number of choices of the values of f at words 
u G F£) to consider the words u such that 0 < wh(u) <n — m— 1. In order to 
bound the number of m-resilient functions of degree exactly n — m— 1 , we first 
bound the number of m-resilient functions whose ANF contains the monomial 
x\ . . . x n _ m _i. We proceed by induction. 
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• Step 1: Every m-resilient Boolean function / is such that the restricted function 
f(x i, . . . , x n - m , 0, . . . , 0) is balanced, i.e., has weight Since the mono- 

mial x\ . . . x n - m -i appears in the ANF of the function, the number of words of 
the support which are less than u = l n_m_1 0 rn+1 for the partial order is odd. 
Consequently, there are 



different choices for the restriction of the truth-table of / at words of {0, 1}” m x 

{or. 

• Step 2: We now consider the restrictions of / in which the (n — rn)th variable 
is fixed to zero. For the values of the variables m +i , • • • ,x n , we fix m — 1 
variables among to to zero (there are to possible different choices) , and the last 
free one is fixed to 1 because the cases where it is fixed to 0 have already been 
considered at the previous step. Indeed every word v lower (for the partial order 
A) than the word u = l n ~ m 0 m has been considered at the first step and, a 
fortiori, every word lower than u' = l n_m_1 0 m+1 has already been considered. 

Thus only the words in {u € F£ \u = (ui , . . . , w n _ m _i,0 . . . , 0, 1, 0, . . . ,0)} 
will be given a value by / at this step. We do not know how many words in 
this set must be in the support of the considered functions since we do not 
know how many words in the set (u e F 2 \u = (ui, . . . , 0, . . . , 0)} are 

already in the support. But if this latter number is i, then the former one must 
be j = 2 n ~ m ~ 1 — i. And we know that for every j we have: 



We can bound the number of choices for one such restriction by ( 2 „_ m _ 2 ), and 
since the number of such restrictions is to, the number of choices ( 2 „_ m _ 2 ) is 
raised to the mth power. At the end of this step, we have considered all the 
words in F 2 such that 0 < WH(x n - m , x n - m+ i, . . . , x n ) < 1 . 

• Step p : Assume we have already chosen the values on the words x such that 
0 < w H (x n - m _ p+ 3 , • • • , x n ) < p - 2 . 

We now consider the restrictions such that x n _ TO _ p+ 2 = 0, and to— 1 variables 
among m+p — 2 are fixed to 0; the remaining free variables are fixed to 1 because 
the other cases have already been considered in the previous steps. Thus there are 
("m-T 2 ) suc h restrictions. For each restriction, we do not know exactly how many 
words should be in the support, but this number can be bounded by the maxi- 
mum possible number of choices, i.e., ( 2 2 „_ m _ p ). Since there are ( rn ^{ 2 ) such 
restrictions, the number of choices ( 2 2n _ m !p ) is raised to the power ■ We 

show now that, at the end of this step, we have considered all the words x such 
that 0 < WH(x n - m - p + 2 , • • • ,x n ) <p— 1: if WH(x n -m-p+ 2 , • • • ,x n ) < p— 2 or if 
WH{x n - m -p+ 2 , ■ ■ ■ , x n ) = p — 1 and x n - m - p+ 2 = 1, then x has been considered 
before step p (by induction hypothesis); and if WH{x n - m -p+ 2 , • • • , x n ) = p — 1 
and .'£' rt - m -p +2 = 0, then it has been considered at step p. 
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• Step n — to: According to the property proved above, all the words such that 
wh(x 3 , . . . , x n ) <n — m — 2 have been considered at the end of step n — m—1. 
Thus, only the words of weight n — m—1 and such that x\ = X 2 = 0 have 
still to be given a value by /. We first choose a value f(x) for every word x = 
(0,0, X3,... ,x n ) of weight n—m—1 such that xA u ^ 0, where u = i”-™- 1 o m + 1 . 
The number of such choices equals 2 ("- m - 1 )~(n-m-i) . We apply now Lemma 0 
to any word v of weight n — m—1 and such that v A u = 0. We deduce the value 
of b v and thus of a v . Indeed, according to relation (0), the values of all the bits 
b s , b t such that s V t = uV v and s A « / 0, 1 A u ^ 0 can be deduced from the 
values of f(x) already chosen since x ^ s implies that either vj H (x) < n — m—l 
or x A u 7 ^ 0. The knowledge of b v implies that of f(y) because all the values 
f(x) such that x -A v have been already chosen, and according to relation ( 0 ). 

We have now proved that the number of m-resilient functions / of degree 
n—m—1 and whose ANF contains the monomial x\ . . . x n _ rn _\ is upper bounded 
by: 


This number does not change if we replace the monomial x\ . . . x n - m -\ by any 
other monomial /z of same degree (since the notion of resiliency is invariant under 
the permutation of the coordinates of x). Any m-resilient function of degree 
n — m —1 belonging to (J S^, where is the set of all m-resilient functions 
of degree n — m—1 whose ANF contains fi, we obtain a bound on the number 
of m-resilient functions of degree n — m —1 by multiplying the number above 
by the number of these monomials, be., ( n _^_ 1 ). Our bound on the number 
of all m-resilient functions is then obtained by adding the number of Boolean 
functions of degrees at most n — m — 2 . □ 

We now give tables of values permitting to compare the bounds. We give in 
the first table the values of the new bound for < m < |"|] + 5. In the next 
table, we compare Schneider’s bound and the new bound (which improves upon 
it for m > [§]). In the last table of values, we compare Carlet-Klapper’s bound 
and the new one. 



Remark 1. A slight improvement of our bound is possible: let k be a positive 
integer; the number of Boolean functions of degree at most n — m—1 and 
whose ANF contains at most k — 1 monomials of degree n — m—1 equals 
2 ^-u=o ( 4 ) (^2 k jZo • We deduce that the number of m-resilient 

functions in n variables is lower than: 


2 Er=“o m_2 (?) 



,Jn-£- it: 


n 




We have checked that for almost every n, some values of k < ( n _” i _ | ) permit 
to improve upon our bound. 
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Table 2. New bound on the number of m-resilient functions 


n\m 

m 

m + i 

m+2 

m+3 

m+4 

m+s 

6 

1.1 10 5 

ii 

— 

— 

— 

- 

7 

9.5 10 s 

12 

- 

- 

- 

- 

8 

5.36 10 23 

7.6 10 6 

14 

- 

- 

- 

9 

1.4 10 31 

5.9 10 7 

15 

- 

- 

- 

10 

6.5 10 102 

4.2 10 39 

4.4 10 8 

17 

- 

- 

11 

2.3 10 146 

1.4 10 49 

3.2 10 9 

18 

- 

- 

12 

5.6 10 430 

1.3 10 199 

5.8 10 69 

2.3 10 10 

20 

- 

13 

1.6 10 638 

2.6 10 265 

2.7 10 71 

1.6 10 11 

21 

- 

14 

1.3 10 1776 

1.3 10 918 

4.8 10 345 

1.5 10 84 

1.2 10 12 

23 

15 

3.4 10 2712 

3.7 10 1286 

1.9 10 441 

9.7 10 97 

8.0 10 12 

47 

16 

3.8 10 7264 

1.2 IO 4034 

2.0 10 1761 

3.9 10 583 

7.5 10 112 

5.5 10 13 

17 

1.6 10 11333 

2.7 10 5855 

5.7 10 2361 

1.0 10 684 

6.8 10 128 

3.7 10 14 

18 

7.6 10 29577 

8.2 io 17260 

1.6 10 8313 

1.1 IO 3109 

7.8 10 833 

7.3 10 145 

19 

1.1 io 46898 

2.8 IO 28709 

6.5 10 11567 

9.8 IO 4028 

4.4 IO 1004 

9.4 10 163 

20 

7.8 io 120074 

2.4 io 72742 

5.3 10 37511 

2.7 IO 18805 

1.1 10 5137 

4.3 10 1197 

21 

1.2 10 192912 

7.7 IO 110527 

3.0 IO 53700 

1.2 io 21240 

2.5 10 6468 

1.8 10 1414 


Table 3. (Schneider’s bound/new bound) for m-resilient functions 


n\m 

m 

Ftl + i 

m+2 

m+3 

m+4 

m+s 

6 

8.5 

8.7 

- 

- 

- 

- 

7 

9.8 10 1 

1.5 10 1 

- 

- 

- 

- 

8 

3.7 10 1 

2.3 10 3 

2.7 10 1 

- 

- 

- 

9 

2.5 10 4 

1.2 10 8 

5.0 10 1 


- 

- 

10 

3.1 10 2 

5.7 10 s 

1.2 10 7 

9.0 10 1 

- 

- 

11 

2.1 10 s 

8.7 10 14 

2.5 10 9 

1.7 10 2 

- 

- 

12 

5.3 10 3 

4.8 10 18 

1.8 10 23 

1.1 10 12 

3.1 10 2 

- 

13 

1.1 10 14 

2.4 10 38 

9.3 10 33 

9.2 10 14 

5.7 10 2 

- 

14 

1.8 10 5 

8.5 10 34 

3.3 IO 60 

2.6 10 47 

1.6 10 18 

1.1 10 3 

15 

7.7 10 21 

4.8 10 72 

3.2 10 96 

7.4 10 63 

5.7 10 21 

2.0 10 3 

16 

1.2 10 7 

4.1 10 89 

5.4 10 138 

1.1 10 146 

4.4 10 83 

4.1 10 25 

17 

1.3 10 32 

1.9 10 135 

8.4 10 234 

1.4 10 212 

1.1 IO 107 

6.0 10 29 

18 

1.6 10® 

1.4 10 98 

1.5 10 274 

6.2 10 383 

1.4 10 298 

2.3 10 134 

19 

1.2 10 48 

1.0 10 234 

2.7 10 812 

7.9 10 598 

4.2 IO 407 

7.8 10 168 

20 

4.3 10 11 

1.6 10 144 

9.5 10 811 

5.1 10 s " 

1.3 IO 900 

3.1 10 544 

21 

1.1 10 61 

2.6 10 382 

2.3 IO 1028 

1.7 IO 1803 

7.8 IO 1310 

9.4 10 712 


5 Conclusion 

We have obtained for to > ^ an improvement of Schneider’s bound on the 
number of TO-resilient functions in n variables. The tables computed show that 
our bound also partially improves upon Carlet-Klapper’s bound. Notice that 
the values of to for which this happens in the tables are those among which 
the best satisfactory tradeoffs between resiliency order, nonlinearity (limited by 
Sarkar-Maitra’s bound 0) and degree (limited by Siegenthaler’s bound) can 
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Table 4. (Carlet-Klapper’s bound/new bound) for m-resilient functions 


n\m 

ft! 

m+i 

m+2 

m+3 

r?i+4 

m+s 

6 

5.5 10 -2 

1.27 

— 

— 

— 

— 

7 

2.6 10“ 1 2 

1.12 

- 

- 

- 

- 

8 

5.5 10“ 4 

1.2 10 -2 

1 

- 

- 

- 

9 

4.4 10“ 5 

6.7 10“ 3 

9.0 10” 1 


- 

- 

10 

3.3 10“ 4 

2.4 10“ 6 7 

3.6 10“ 3 

8.2 10 _1 

- 

- 

11 

2.0 10“ 6 

9.7 10~ 8 

1.9 10“ 3 

7.6 10 _1 

- 

- 

12 

7.3 10 10 

1.4 10“ 9 

2.6 10“ 9 

1.1 10“ 3 

7.0 10 _1 

- 

13 

4.1 10 12 

7.0 10" 14 

4.7 RT 11 

6.1 10 -4 

6.5 10 _1 

- 

14 

2.0 10" 

4.5 10 12 

1.7 10 -19 

5.9 10 -13 

3.5 10“ 4 

6.1 10 _1 

15 

2.7 10 142 

9.1 10 9 

1.3 10 -26 

5.0 10 -15 

2.0 10 -4 

5.7 10" 1 

16 

4.2 10 611 

1.6 10 194 

2.2 10 3 

2.4 IO -38 

2.9 IO -17 

1.2 10" 4 

17 

9.3 10 785 

2.3 10 253 

2.5 10“ 9 

6.1 10 -46 

1.1 IO -19 

6.9 10“ 8 

18 

1.1 10 2256 

6.4 10 1188 

4.1 10 317 

3.9 10 -28 

1.4 IO -88 

2.9 10“ 22 

19 

3.7 10 3610 

1.2 10 1649 

2.4 10 383 

1.6 10- 55 

2.2 IO -73 

5.1 10“ 28 

20 

2.3 10 933 ° 

5.9 10 5571 

1.3 10 2275 

4.7 10 445 

2.0 10 -93 

1.5 10“ 90 

21 

5.4 io 15353 

2.5 10 8328 

4.1 IO 3053 

8.1 10 497 

7.1 10 -144 

2.6 IO” 110 

22 

3.7 10 37456 

1.5 10 24442 

5.2 io 12102 

2.0 10 3998 

5.2 10 832 

3.6 10“ 209 


be obtained (since none of these parameters must be small). Moreover, we can 
conjecture that, asymptotically, the new bound improves upon Carlet-Klapper’s 
bound when m — n/2 is fixed and n tends to infinity (recall that Carlet-Klapper’s 
bound improves upon Schneider’s one when n—m is fixed and n tends to infinity) . 
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A Proof of Proposition El 

We prove that the number of 1-resilient functions in n variables is less than 

e r=;r: 2 ) 4 - 

Every Boolean function f inn variables can be considered as the concatena- 
tion of four Boolean functions in n — 2 variables, / = /i f-ifzfi- The ANF of the 
function is 


/ = (1 - x n )(l - x n _i)fi © (1 - x n )x n _\f 2 © x n (l - a; n _i )/3 © x n x n _\f± 
We have: 


) = 2" _1 

^ WH(fi) + w H {h) + WH{h) + w H (h) = 2" 1 

(2) 

WH(f j a 

: n =o) = 2" -2 W H (fl) + W H (h) = 2" -2 

(3) 

WllUxr. 

,_i=o) = 2 " -2 W H (fi) + %(/3) = 2" -2 

(4) 


=>w H (f 2 )=w H (f 3 ) 

(5) 


w H {h) = w H {h) 

(6) 


Thus, 


The bound of Proposition 0 is then a direct consequence of equations © , © 
and Q. Indeed, we can deduce: 


2 n— 2 

£ 

«m(A)=o 


' 2" -2 \ V 2" -2 

V 2 " -2 -w H {h), 


□ 
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B Park, Lee Sung and Kim’s Bound in the Case 
of First Order Resilient Boolean Function 


Proposition 3. Let n be a positive integer greater than 1. The number of 1- 
resilient Boolean functions in n variables is less than: 


l„er)er)er)er)(. 


' 2 " -3 V 2 "' 3 V 2 ”' 3 ^ 

, 2 "" 2 -a-c-dj\c+d-b)\a + b-dj ■ 


Proof. Every Boolean function in n variables / can be considered as the con- 
catenation of eight functions in n — 3 variables, i.e., f = /i f 2 f 3 f 4 f 5 fe h fs • The 
corresponding ANF of the function is 


/ = (1 - x n )(l x n ^)(l - S«- 2 )/i © (1 - x n )(l - x n ~i)x n - 2 h 
® (1 — x n )x n -i(l — X n -2)f3 © (1 — Xn)x n -lX n - 2 f A 
© x n {l — a;„_i)(l — x n - 2 )fs © x n {l — x n -i)x n - 2 fe 

® X n X n _i(l - X n _ 2 )f 7 © XnXn^Xn^h ■ 


We have the following equations: 


w H (f) = 2 " 1 <s=> Yl w HUi) = 2" 1 (7) 

w H {f\ Xn =o) = 2"“ 2 ^ whUi) + + w H (f 3 ) + w H {U) = 2 n ~ 2 (8) 

Wir (/| Xn _i=o) = 2" -2 w H {fi) + w H (f 2 ) + w H (f 5 ) + w H (f 6 ) = 2 n ~ 2 (9) 

^i?(/|x n _ 2 =o) = 2" -2 wii(fi) + w H (f 3 ) + w H (h) + w H (h) = 2 71-2 (10) 

We obtain: 

©, (0 w H (fa ) + wh(U) = wh(U) + W H {U) ( 11 ) 

(PUP} =► w H (fi) + w H {h) = w H {h) + w H {f&) ( 12 ) 

Assume that the values of wh(Ji), Wff{f 2 ), wii(h) and wsiff) are fixed, then 

(0 =k w H {fi) = 2 n ~ 2 - w H (fi ) - w H (h) ~ wnih) (13) 


(HDD wi j(/ 5 ) = 2" 2 - w H {fi) - w H {h) - whUt) ( 14 ) 

(ED => w H (f 6 ) = w H (f 3 ) + w H (f 7 ) - w H (f 2 ) (15) 

(D2J => w H (fs) = W H (/ 1 ) + w H {f 2 ) - w H (f 7 ) (16) 

Since we know that the values of wn(fi), wn(f 2 ), WfirC/ 3 ) and wn(f 7 ) vary 
between 0 and 2 ” -3 , we can deduce the formula with the equations PI). P|). 
(1151 and PJ. □ 
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Abstract. Group DifRe-Hellman schemes for password-based key ex- 
change are designed to provide a pool of players communicating over a 
public network, and sharing just a human-memorable password, with a 
session key (e.g, the key is used for multicast data integrity and confi- 
dentiality). The fundamental security goal to achieve in this scenario is 
security against dictionary attacks. While solutions have been proposed 
to solve this problem no formal treatment has ever been suggested. In 
this paper, we define a security model and then present a protocol with 
its security proof in both the random oracle model and the ideal-cipher 
model. 


1 Introduction 

Group DifRe-Hellman schemes for password-based key exchange are designed to 
provide a pool of players, communicating over a public network, and holding a 
shared human-memorable password with a session key to be used to implement 
secure multicast sessions. A human-memorable password pw is a (short) string 
chosen from a relatively small dictionary to be easily memorized and typed-in 
by a human. 

Consider mission-critical applications such as emergency rescue and military 
operations 1 1 H|1 912 1 1 . or even commercial applications like conferencing/meeting 
am and personal networking 0I3|, where a (small) group of people collabo- 
rate. These applications operate in a highly mobile environment characterized 
by the lack of any fixed network and security infrastructure. At the same time, 
these are applications where secure multicast sessions may be needed. Due to 
the absence of fixed infrastructure, session keys can be computed via a group 
Diffie-Hellman key exchange bootstrapped from a password. A password usually 
chosen by the participants may be a low-quality one (i.e. 4 decimal digits) easier 
to memorize than a high-quality one (i.e. 56-bit, 192-bit). 

The fundamental security goal for a group Diffie-Hellman protocol designed 
for such a scenario to achieve is security against dictionary attacks. One can 
not actually prevent the adversary from guessing a value for pw and using this 
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value in an attempt to impersonate a player. If the attack fails, the adversary 
can eliminate this value from the list of possible values for pw. However, one 
would like this attack to be the only one the adversary can mount: after n active 
interactions with some participants the adversary should not be able to eliminate 
a greater number of passwords than n. Namely, a passive eavesdropping should 
be of no help to the adversary since an off-line exhaustive search on pw should 
not get any bias on the actual password - such a bias could be later used in 
on-line interactions. The off-line exhaustive search is called dictionary attack. 

Contributions. This paper represents the first formal treatment of the au- 
thenticated group DifRe-Hellman key exchange problem when the parties share 
a human-memorable password. We start from the model of Bresson et al. fTTi] 
and enhance it to capture dictionary attacks. In our model, the parties are mod- 
eled through oracles and the various types of attacks are modeled by queries to 
these oracles. The model is equipped with the ability to obtain honest protocol 
executions to enable a treatment of dictionary attacks. 

Our model is used to define the execution of a password-based group DifRe- 
Hellman protocol which we refer to as EKE ( Encrypted Key Exchange , see P|). 
Converting a provably authenticated group DifRe-Hellman protocol na into a 
password-based group DifRe-Hellman protocol is not an easy task. The trivial 
conversion consisting in substituting a signature scheme by a symmetric encryp- 
tion scheme, using the password as secret key as for the two-party case m, does 
not provide security against dictionary attacks. We have, in effect, to perform 
several modifications to the protocol of Bresson et al. [IQ]. The modifications 
cost only one more exponentiation per player however we also notice that the 
cost of the signatures and verifications is replaced by the cost of a symmetric 
encryption, which is very low. The flows are moreover shorter since there is no 
longer a signature. 

The security against dictionary attacks shows up in Theorem Q] which as- 
serts the security of EKE in both the random oracle model and the ideal-cipher 
model. Security against dictionary attacks depends on how many interactions the 
adversary carries out against the instances rather than on the adversary’s com- 
putational power. The theorem exhibits a reduction from the semantic security 
of an EKE session key to reasonable and well-defined computational problems. 

Our paper is organized as follows. In the remainder of this section we summa- 
rize the related work. In Section 0 we define our model and the definitions that 
should be satisfied by a group Diffie-Hellman scheme secure against dictionary 
attacks. In Section 0 we present the intractability assumptions we use in this 
paper. We present the EKE protocol in Section 0 and assert its security in both 
the random oracle model and the ideal-cipher model in Section |S] We then prove 
its security in Section [H] Finally, some extensions are provided: we briefly deal 
with forward-secrecy in Section Q and with mutual authentication in Section 0 

Related Work. Several 2-party Diffie-Hellman key exchange protocols aimed to 
distribute a session key among two parties when the parties share a password. 
Recently, Bellare et al. [2] presented a formal model for this problem and a 
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protocol secure in the ideal-cipher model. Our work extends their work to the 
multi-party setting. Security proofs in the ideal-cipher model see a (keyed) cipher 
as a family of random permutations which are queried via an oracle to encrypt 
and decrypt. The oracle produces a truly random value for each new query and 
identical answers if the same query is asked twice; furthermore, for each key, 
the injectivity is satisfied. In practice, the ideal-cipher 0 is instantiated using 
deterministic symmetric encryption function such as AES m Although these 
encryption functions have been designed with different criteria from being an 
ideal-cipher, AES has been designed with unpredictability in mind. 

Security proofs in these two models together (both the random oracle and 
the ideal-cipher models) are superior to those provided by ad-hoc protocol de- 
signs although they do not provide the same security guarantees as those in the 
random oracle and the standard models. However, the ideal-cipher model allows 
for “elegant” and more efficient protocols. Boyko et al. IZCSJ provided (2-party) 
Diffie-Hellman key exchange protocols proved secure in the random oracle model 
using the multi-party simulat ability technique. Katz et al. m, and Goldreich et 
al. [Ej designed two-party key exchange protocols secure in the standard model. 

Several papers have extended the Diffie-Hellman protocol HH to the multi- 
party setting and thus aimed to distribute a session key among parties aggregated 
into a group. Bresson et al. BH presented a formal model to securely design pro- 
tocols for a scenario wherein each party holds a pair of matching public /private 
keys. A logical follow up to this work is a formal model for a scenario wherein the 
parties share a human-memorable password. This latter scenario was suggested 
by Asokan et al. Q as well as protocols with informal security analysis. 

2 Model 

In this section we define a formal model for security against dictionary attacks 
where the adversary’s capabilities are modeled through queries. In our model, the 
players do not deviate from the protocol and the adversary is not a player. We 
define the security notion that a password-based group Diffie-Hellman protocol 
should achieve. In Authenticated Key Exchange (with implicit authentication), 
each player is assured that an adversary not in the group is unable to learn any 
information about the session key. Another important notion is mutual authen- 
tication, which guarantees to each player that it actually shares a session key 
with all the others. 

2.1 Security Model 

Players. We fix a nonempty set U of players that can participate in a group 
Diffie-Hellman key exchange protocol P. A player Ui £ U may have many in- 
stances called oracles involved in distinct, but possibly concurrent, executions of 
P. We denote by 17 | the f-th instance of player Ui, for any t G N. 

The players share a low-entropy secret pw taken from a small dictionary 
Password of size N . In the following, we assume that this password pw follows a 
uniform distribution in the Password set. 


500 Emmanuel Bresson, Olivier Chevassut, and David Pointcheval 


Abstract Interface. Let us define the basic structure of a password-based 
group Diffi e-Hellman protocol P. The protocol consists of two algorithms: 

— The password generation algorithm PwdGen(I^) is a probabilistic algorithm 
which, on input a security parameter l f , provides each player in U with a 
common password pw uniformly distributed in Password. 

— The key exchange algorithm KeyExch (77) is an interactive multi-party 
protocol providing the instances of players in U, holding a common password, 
with a session key sk. 


Queries. The adversary A interacts with the players by making various queries. 
Let us explain the capability that each query captures: 

— Execute(Z7): This query models passive attacks, where the adversary gets 
access to honest executions of P by eavesdropping. Therefore, A gets back 
the protocol flows of an honest execution of P between the players in U. 

— Send(77jym): This query models A sending a message to an instance. The 
adversary A gets back the response oracle 77* generates in processing the 
message m according to the protocol P. A query Send(77[, “Start”) initial- 
izes the key exchange algorithm, and thus the adversary receives the flow 
the first player should send out to the second one. 

— Reveal(77|): This query models the misuse of the session key by the players. 
The query is only available to A if oracle 77* holds a session key. The Reveal- 
query unconditionally forces oracle 77| to release sk n t which is otherwise 
hidden to A. 

— Test(77*): This query models the semantic security of the session key sk. 
The Test-query can be asked at most once by the adversary A and is only 
available to A if 77* is Fresh (see below). This query is answered as follows: 
one flips a coin b and forwards Reveal(77*) if b = 1 or a random value if b = 0. 

The Execute-query may at first seem useless since using the Send-query the 
adversary has the ability to carry out honest executions of P among parties. Yet 
the Execute-query is essential for properly dealing with dictionary attacks. The 
number q s of Send-queries directly asked by the adversary does not take into 
account the number of Execute-queries. Therefore, q s represents the number of 
flows the adversary may have built by himself, and thus the number of passwords 
he would have tried. 

The security notions take place in the context of executing P in the presence 
of the adversary A. In this game Game ake (A, P), A plays against the players us- 
ing the above queries in order to defeat the security of P. The game is initialized 
by providing coin tosses to PwdGen, A, all III, anf l then 

1. PwdGen is run to set the value pw of the password, 

2. Initialize any 77* with skjjt <— NULL, 

3. Initialize adversary A with I s - and access to all 77*, 

4. Run adversary A and answer queries made by A, 

5. At the end of the game, A outputs its guess b' for the bit b involved in the 
Test-query. 
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2.2 Security Notions 

Freshness. An oracle 77| is Fresh (or holds a Fresh key sk) if IT* has computed 
a session key sk ^ null and neither 77* nor one of its partners has been asked for 
a Reveal-query. Intuitively, the partners of an instance 77* are all the instances 
that “should” hold the same session key as 77f at the end of the protocol. We 
give a more formal definition in the full version of this paper 0. 

AKE Security. In an execution of P, we say an adversary A wins if it asks 
a single Test-query to a Fresh player U and correctly guesses the bit b used 
in the game Game ake (A, P). We denote the AKE advantage as Advp(A) = 

2 Pr[6 = b '] — 1, where the probability space is over all the random coins of the 
adversary and all the oracles. 

3 Assumptions 

Before presenting the protocol, let us remind the algorithmic assumptions on 
which its security will be based on. These assumptions were shown in 0 to be 
reasonable by relating them to the DDH and CDH. 

Let G = (g) be a cyclic group of prime order q and n G N. Let I n be 
{1, . . . , n}, V(I n ) be the set of all subsets of I n and r be any subset of V(I n ). 
We define the Group Diffie-Hellman distribution relative to r as: 

GDHr = {T> r {x i, . . . , x n ) \ x \, . . . , x n G« Z q } , 

where 

D r (x 1 ,...,x n ) = e rj. 

Our protocol in this paper is based on the triangular structure T n for P, we 
illustrate for n = 4 on Figure □ 

T n = U {{<|i<<<i,»Vfc}|i<*<i} 

2 <3<n 

= {{}; (2}, {!}; {2, 3}, {1, 3}, {1, 2}; {2, 3,4}, {1, 3, 4}, {1, 2, 4}, {1, 2, 3}; ... }. 



Fig. 1. Trigon defined by 7k when n = 4. 


502 Emmanuel Bresson, Olivier Chevassut, and David Pointcheval 


Trigon Group Computational DifRe-Hellman Assumption (TG-CDH). 

A (T, e)-TG-CDH„-attacker for G is a probabilistic Turing machine A running 
in time T that given V = V j- n (x \, . . . , x n ) £ GDH- 7 ^ outputs g Xl ' Xn with prob- 
ability greater than e. We denote this success probability SucCg Cdh " (A). 

Multi Decisional Diffie-Hellman Assumption (M-DDH). In the analysis 
of the protocol EKE we need an equivalent version of the DDH assumption. Let 
us define the two following distributions: 

M-DH„ = {(g Xl , . . .,g Xn ,g rXl , . . . ,g rXn ) | aq, . . . ,x n , r £r Z ? } , 

Rand„ = {(g Xl , . ■ • ,g Xn ,g m , . . -,g Vn ) \ x \, . ..,x n ,yi,...,y n £r Z q j . 

A (T,e) — M-DDH ,,-distinguisher for G is a probabilistic Turing machine A 
running in time T that is able to distinguish the two distributions with advantage 
Advg ddh ” (A) greater than e. 

Lemma 1. For any group G and any integer n, Advg ddhn (T) < (n— 1) Adv^ dh (T) 
and Advg ddhr “(T) < AdvQ h (T + (4n — 6 )tg), where tq is the computational time 
for an exponentiation in G. 

Proof. The first result easily comes using a hybrid argument [El, while the 
second one uses the random self-reducibility. Indeed, from a decisional DifRe- 
Hellman instance (g X2 , g ri , g r2X2 ), where r-i = n, one derives (with 2 exponen- 
tiations performed by raising two values to the power of aq) a 4-tuple (Ai = 
g Xl ,A 2 = g x ' 2 , B[ = g riXl ,B 2 = g r ' 2X2 )- Then, one easily gets a 2n-tuple (Ai = 
g Xl , . . . , A n = g Xn , B\ = g riXl , . . . , B n = g r *- x ™) where either all the r, are equal 
(if r 2 = ri), or the r r are independent from one another (if r 2 ^ rf). To this 
aim, one chooses a random pair ( Ui,Vi ), and computes 

Ai = A^A^f = g x l u *+ x 2 v * = g x ‘ 

Bi = B?B% = gr^ i+ r 2X2Vi = g r 1Xi+ (r 2 -r l)x2 v^ 


□ 


4 A Password-Based Group DifRe-Hellman Protocol 

In the following theorems and proofs we assume both the random oracle model 
and the ideal-cipher model, and the arithmetic is in a finite cyclic group G = (g) 
of order a ^i-bit prime number q, where the operation is denoted multiplicatively. 
More precisely, we consider G = G\{1}. It has the particularity that for any 
h G G, G = {h r | r 6 {X,.. . . , q — 1}}, but it is no longer a group. 

We then use a hash function 7~L from (0, 1}* to {0, 1 Y 2 and consider several 
block ciphers, depending on the size of the input: for each integer i > 2, we 
define two families £‘ = {£}.} and £' 1 = {£'\} of keyed permutations over G 1 , 
where k £ Password. The inverse of £\ (resp. £'' k ) is denoted V' k (resp. V l k ). 
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In practice, such encryption schemes are instantiated with CBC mode so 
that each part of the plaintext depends on the entire ciphertext. Following this 
idea, we (abusively) denote £k{X) (resp. £' k {X)) the encryption of a plaintext 
IgG 1 for some i under key k using £\ (resp. £'\) without explicitly specifying 
the length of X. 

4.1 Algorithm 

As illustrated on Figure 0 the protocol EKE consists of a set of players arranged 
in a ring and the flows are encrypted under the password pw. The session- 
key space SK associated to this protocol is {0, 1 Y 2 equipped with a uniform 
distribution. Moreover, EKE consists of two stages: several up-flows (which are 
encrypted using £) and the down-flow (which is encrypted using £'). 

In the up-flow, player Ui (for 1 < i < n) receives a ciphertext Fl,^, 6 <B* 
and decrypts it using V pw into the plaintext X,_x G G* (by convention, Ui 
just receives Flo = “Start”, and thus builds Xq = (r/o } , where go is a random 
element in G). Player (7* then generates at random two (private) values {x t , Ui) 
in Z* and gets X t := <P(X i _i , x i: t%) G G* +1 by processing the plaintext Xj_i 


Ux U a 

u n 

*1 £ [1.9-1] [1.9-1] 

•Xo = {so} 

[1,9-1] 

Xi***{X 0 ,x u ui) F , 

Fli := £ pw (Xx) > 

Xi s= ‘Dp*, (Fli) 

"2 £ [1,9-1] 

X a -4>(Xx,x 2 ,v 3 ) F| 

fi 2 := e r »(x 2 ) = 1 

x n £[l,q-i] 


FI*_i 


X n -x ■- P pM (FI„_i) 
[1,9-1] 

K :=<P'(X n -x,x n ,v n ) 

Fl n := £' pw (X' n ) 

Fin 

Each player gets X’ n := D' pw { Fl n ) 
and K = (cti) x i = al 

■frl On} 

where g n = So 1 '"*'” 

^({/9i x,P},x, V ) I *'({0i,. 

m PT r, isr»} e 1 ={0f 

■ •,0i x,n,x, V ) 

ft*} e&. 


Fig. 2. Protocol EKE. The multicast group is U = {?7i, U2, ■ ■ . , U n } and the session 
key is sk = H{U\\F\ n \\K). 
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according to the operator 4> (described below). Player Ui finally encrypts the 
value Xj using £ pw and forwards the ciphertext FI,; to the next player in the 
ring. 

The down-flow takes place when player U n receives the last up-flow Fl„_i G 
G". It decrypts it using V pw into the plaintext X„_-| G G n . It then generates at 
random two (private) values (x n , v n ) in Z* and gets X' n := < ?'(X n _- l , x n , u n ) G G” 
by processing the plaintext X„_i according to the operator <P' (described below). 
Player U n finally encrypts the value X' n using £' pw and broadcasts the ciphertext 
Fl„. 

Finally, each player can compute the session key sk = 'H{U\\V\ n \\K) , where 
K = (Pq Indeed, if everything worked correctly, player t/, : can com- 

pute K by decrypting the broadcast Fl n using ty into X' n G G" and raising 
the x-tli term a,; of X' n to the power of its private exponent Xi. 


4.2 Operators ^ and <P' 

We now describe the operators <1> and <!>' , and see that finally all the players agree 
on the same value K. The operator <I> takes as inputs a set {/?i, . . . , 0i-i,P} G G®, 
for some i, a private exponent iGZ* and a blinding exponent v G Z*. Then, 

<?({/?!, . . . , x, u) = {3r, • • • , ft- i,r, r*} e G i+i . 

The operator & does exactly the same transformation but returns the i first 
elements only: 

■■■, pi-i, pi *, u) = {%*, . . . , p^ x ,p v } g g \ 

Therefore, if all the computations are performed correctly, the flows between 
4 players include the plaintexts X\, X 2 and Xg presented on Figure 01 The 
plaintext X' A is the 4 first elements of X A only while the last element of X A is 
K = (g" lV2V3, ' i ) XlX2X3Xi = gl 1X2 * 3X4 . 

One can indeed check by induction that the j-th element of X. t is (pq*) 23 ’^ 3 = 
g^/ x 3 ( where /x,; = v\ - ■ ■ //,; mod q, gi = pg 4 and yi = x\ - ■ ■ Xi mod q. Therefore, 
the x-th element a$ of the down-flow is g ! n ^ x " which with the knowledge of x^ 
leads to the common value K = a Xi = p(( n . 


go 




= X 0 

= X 1 = <P(X 0 ,x 1 ,is 1 ) 
= X 2 =<P(X 1 ,X 2 ,V 2 ) 
= X 3 = $(X 2 ,x 3 ,v 3 ) 
= Xi = <&(X 3 ,X4, 1x4) 


Fig. 3. Honest execution, when n = 4. We denote Vi = log 9i _ 1 (ffi)- 


Group Diffie-Hellman Key Exchange Secure against Dictionary Attacks 505 


4.3 Dictionary Attacks 

In EKE, we have to be careful of the content in the ciphertext since any redun- 
dancy in the concatenation of the plaintexts in the flows of the protocol could be 
used by the adversary to mount a dictionary attack. The adversary could decrypt 
flows using all the passwords in the dictionary and look for this redundancy. 

Namely, the trivial conversion wherein one substitutes in a group Diffie- 
Hellman protocol cni the signature scheme by a symmetric encryption scheme 
is easily seen insecure, while it works in the two-party case. This conversion 
indeed produces a protocol in which all the computations are performed with 
Vi = 1, for all i: therefore the last element of each plaintext in Flj also belongs 
to the plaintext in Flj+i. 

5 Security Result 

In this section we assert that under reasonable and well-defined intractability 
assumptions the protocol EKE securely distributes session keys. We deal with 
the AKE goal only and thus do not consider forward-secrecy here. However, 
concurrent executions are possible. 

Theorem 1. Let P be the EKE protocol, SK be the session-key space and 
Password be a finite dictionary of size N . Let A be an adversary against the 
AKE security of P within a time bound T, after q s interactions with the parties, 
qh hash-queries, and q e encryption/decryption queries. Then we have: 

Advp ke (A) < ^ + 2g s Adv£ ddh '‘(T') + 2 % Succ| cdh "(T / ) + ^ 

where T' < T + uQtg, Q = 3<7 S + q e and to is the computational time for an 
exponentiation in G. (Recall that q is the order of G). 

This theorem shows that EKE is secure against dictionary attacks since the 
advantage of the adversary essentially grows with the ratio of interactions (num- 
ber of Send-queries) to the number of passwords. This is particularly significant 
in practice since a password may expire once a number of failed interactions 
has been achieved, whereas the adversary’s capability to enumerate passwords 
off-fine is only limited by its computational power. 

Of course, the security results only holds provided that the adversary does 
not solve either the trigon group computational problem TG-CDH or the multi- 
decisional Diffie-Hellman problem M-DDH. But these terms can be made negli- 
gible by appropriate choice of parameters for the group G. 

6 Proof of Security 

In this section we show that the protocol EKE achieves security against dictio- 
nary attacks as claimed by Theorem H] We first introduce the notations we will 
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use and then prove that the best the adversary can do is to essentially eliminate 
one password from the dictionary per initiated session (maybe concurrently). 
Here, we present a proof that does not yet deal with forward-secrecy. All the 
lemmas are proven in the full version of this paper [S| . 

6.1 Operator 

As illustrated in Figure Q each player U t generates a new basis when processing 
an up-flow by raising the values it received to the power of its random blinding 
exponent is,. But let us notice that given a TG-CDH instance of size n, with the 
TG-CDH-solution, one can easily derivate the trigon whose lines are the flows 
sent during an honest execution of EKE, by raising the lines to the power of 
random and independent exponents. 

We denote by 0 a n-tuple of elements in Z*, by 0* the <-th component of 6, 
and by [g\ n the n-tuple (g. . . . ,g). For any line L of length i + 1, the operator F 
takes as input a n-tuple 9 , a random exponent is and applies a (multiplicative) 
self-reduction of the line L as follows: 

- [Using 9] first, one raises the first i elements of L to the power of 0,/9i , 

. . . , 0i/9i respectively, and the last element to the power of O,, where O, = 
01 • • • 0n 

- [Change of Basis] then, one raises all the elements of the tuple to the 
power is. 

For example, from a line L = (gi , . . . , fl;+i), with any tuple 0 and is, one gets 
*(L, 0 , v) = ( gf i/ei , . . . , gf i/9i , gffi), 

where Oi = 0i • • • 9,. A line L of form [g Vi / Xi , ... , g i > i l Xi . gV * } where y-i = x\ ■ ■ ■ X{ 
is thus represented as follows: 

L = 'P(lg\ i+ 1 , (xi, . . . ,x h 1, . . . , 1), 1) G G ,+1 . 

The following lemmas exhibit some useful results about the operators <1> and { I / : 
Lemma 2 (Equality of Distributions). Let g G G and L = { 5 “°, . . . ,g ai } G 
G l+1 . The following two distributions are perfectly indistinguishable: 

h(L,9,u)\ and \g ro ,...,g ri ) 

Lemma 3 (Commutativity and Composition). Let x, v , o’ G Z* and 9, 9 ’ G 

(Z*)". For any line L G G®, we have (where 99' is the component-wise multipli- 
cation of the vectors 9 and 9' ): 

&(&(L, x, v), 9, 1 A = &(&(L, 0, u'),x9i, v ) ; 

<F(F{L, 0, is), 9', is') = F(L, 99', isv')-, 
F(^{L,x,is),[l\ n ,is') = &(L, x, lsis')- 
if (Vj < i, 9j = 0'), F(L, 9, is) = F(L, 9', v). 
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6.2 Proof of Theorem 1 

In this section we incrementally define a sequence of games starting at the real 
game Go and ending up at G6- We let b and b' be defined as in Section 12. II and 
refer to S, : as the event b = b’ in game G,. We also define the event Encrypt^ as 
the event that a flow has been encrypted, but not decrypted first (see below), by 
the adversary under pw (with any symmetric encryption scheme £ or £'). We 
use the following lemma within our sequence of games HJ: 

Lemma 4. Let E, E' and F, F' be some events defined on a probability space. 
Let us assume that Pr[F] = Pr[F'] = e and Pr[F A rF] = Pr[F' A Then, 

|Pr[F] -Pr[F']| < e. 


Game Go: This is the real attack Game ake (^4, P) in which several oracles are 
available to the adversary: a hash oracle, the encryption/decryption oracles, and 
all the instances of players (in order to cover concurrent executions) . 

Rule 1: The instances of players process each Send-query with a 
pair of random exponents (x,, v,), using the operators L> and L>' . 

Thus, the instances of players can easily answer to the Reveal-query and the 
Test-query. The Execute-query is proceeded similarly. By definition, Pr[So] = 
(Advp e (yl) + 1)/2. 


Game Gi: We simulate the hash and the encryption/decryption oracles as in 
G 0 by maintaining five lists: a hash list (A H ), encryption lists (A E , A! E ) and 
decryption lists (A D , A' D ). The lists are initially empty. We denote by qh the 
size of A h , and by q E the number of encryption-decryption relations: i.e. q E is 
the size of A E U A' E . The queries are answered as follows: 

— Hash-query: For a query q such that a record (q, r) appears in A E , the answer 
is r. Otherwise r is chosen at random from {0, l}^ 2 and the record (q, r) is 
added to A H . We have H{q) = r. 

— Encryption- query: For an encryption query ( k , X ) to £ (resp. £’) such that a 
record (*,k,X,Y) appears in A E (resp., A' E ) the answer is Y. Otherwise Y 
is a random ciphertext of length |W|. The record (5. k, X. Y) is then added 
to encryption list A E (resp. A' E ). 6 £ {0, 1} is a bit indicating the originator 
of the query: if the query comes from the simulator then 6 = 0 else the query 
comes from the adversary <5=1. 

— Decryption-query: For a decryption query (k, Y) to V (resp. V) such that a 
record (*, k,X,Y ) appears in A E (resp. A' E ), the answer is X. Otherwise X 
is generated by the following rule: 

Rule 2: X is a random tuple {<? ri }i<i<|r| where n,...,r\ Y \ are 
randomly drawn in Z*. 

The record ( k , Y, X) is then added to the decryption list A D (resp. A' n ) while 
the record (0, k, X, Y) is added to the encryption list A E (resp. A’ E ). 
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We notice that a decryption-query adds a record to both the encryption and 
the decryption lists, while an encryption-query adds a record to the encryption 
list only. In both cases, a later encryption or decryption query on the same 
elements does not add any record to any list. Hence, a record (k. Y, X ) appears 
in the decryption list if and only if the decryption query ( k , Y) has been asked 
first (i.e., before the corresponding encryption query). 

With this definition, Encrypt, is defined in game G, as the event that there 
exists a record (1, pw, X, Y) in an encryption list, such that Y has been submitted 
in a Send-query. Note that this implies that the corresponding record (pw, Y, X) 
does not appear in any decryption list. 

From the above simulation we easily see that the games Gi and Go axe 
perfectly indistinguishable, unless the permutation property of the block ciphers 
does not hold. One could have avoided collisions in the above simulation but 
this is at most q%/2(q — l) 2 since the smallest set for the encryption functions 
is |G 2 | = (q— l) 2 : 

|P.[SJ-P^So||< J(4 * 1)a <* (1) 

Game G 2 : We delete the executions wherein the adversary may have guessed 
the password. More formally, we delete the executions wherein event Encrypt! 
occurs: i.e. a Send (17, Y)-query is asked and a record of the form (1 ,pw,*,Y) 
appears in an encryption list. In these executions, we stop setting b' at random: 

I Pr[S 2 ] — Pr[Si]| | < Pr[Encrypt]J. (2) 


Game G 3 : We simulate the instances of players from a tuple (aq , . . . , x n ). This 
tuple allows us to compute an instance D = "D(:ei, . . . , x n ) of the TG-CDH„ with 
its solution g x r-x n We use j) to construct using blinding exponents V\, ... . u n 
the triangular structure illustrated in Figure 0 where all the bases are random- 
ized. The lines of this structure will be used in this game to answer to the 
Send-queries. The lines of this triangular structure are denoted and constructed 


f M 


if i = Q, 
if 1 <i<n, 


where the n + 1-th element k of L n is k = gff ---Xn = 1 

We now show how to use these lines to simulate the instances of players. 
We first maintain a list A& that keeps track of the exponents 9 used to blind 
a line Lf. L = l I / (L, , 9, u). This list contains records of the form (i,0,v,L) and 
is initially set to {(0, [l] n , 1, {5})}. Then, we answer to a Send (77* , Fl)-query as 
follows: 


— 77* is waiting for an up-flow: if the length of FI is different from i, then we 
do not do anything. Otherwise we do perform the following two steps. 

1. if i = 1 then one sets L = { g }, else one invokes the decryption oracle to 
get L = V pw (V\). 
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2. one computes line U according to Rule 1.1 and encrypts some elements 
of V . If i < n, then the whole line V is encrypted into £ pw (L'). Other- 
wise, if i = n, then only the n first elements of II , we refer to them as 
L" , are encrypted using £' pw . Finally, Ilj waits for the down-flow. 

Rule 1.1: We first chooses two random exponents (p\, p\) £ (Z*) 2 . If 
(i— 1 , 9, u, L) £ Ay for some 9, u, then we compute L' = <F(Lj, 9' , p\v) 
where 9' is defined to 9 except that 9j = p\, and we update the list 
Ay. Otherwise one applies the Rule 1.1’ presented below. 

Rule 1.1’: One still uses Rule 1, but with (xip\,Vip\) instead of 

( x i> Vi). 

The random p\ is different each time one answers this flow (either by 
Rule 1.1 or Rule 1.1’.) Indeed, the same flow FI may be sent several 
times by the adversary in different and concurrent executions. 

By induction, one easily show that any line L either comes from Rule 2 or, 
under -i Encrypt, from a previous Rule 1.1. 

— Ilj is waiting for a down-flow: if the length of FI is different from n, then we 
do not do anything. Otherwise, we invoke the decryption oracle V' pw (V\) to 
obtain L" or more specifically to obtain the i-tli element a\ in L": 

Rule 3: For any Ilj, Kj is set to be {a t i ) XiPi , where a\ is the i-th 
element in the down-flow L" received by Ilj. 

We have now to show that the <1 relation between the lines L,_i and L, is 
“preserved” by the I' transformation. The following lemma shows it: two lines 
of the triangular structure already related by the operator 4> are still 
related by ( I> after having respectively been transformed into L. L' by the operator 
<F. 

Lemma 5. L' = $(L,Xip\,p\vi). 

By Lemma El our simulation simply makes the player choose as private exponent 
Xip\ and as blinding exponent vipj (both values are uniformly distributed be- 
cause p\ and p\ are). From the value Kj, we can then easily compute the session 
key sk n t to be n(U\\F\ n \\Kj). 

It follows that games G 2 and G 3 are perfectly indistinguishable: 

Pr[S 3 ] = Pr[S 2 ], (3) 


Game G 4 : We now modify the way the decryption queries are simulated by 
modifying the Rule 2, in order to embed the instance V in the answers output 
by the decryption oracle, so that an attack may help us to solve it. 

Rule 2 . 1 : One chooses a random blinding exponent v £ Z* and 
random exponents 9 in (Z*)". If Y is a query to V pw , then X is set 
to >F(Li, 9, o), where i = \Y\ — 1. If Y is a query to T>' pw , and \Y\ = n , 
then X' is set to 'T (L n , 9, v), but X is set to the n first elements of 
X' . In both cases, the list Ay is updated. 
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From Lemma El with random 6 and v , all the answers X are perfectly random 
in Gl y l; 

Pr[S 4 ] = Pr[S 3 ] . (4) 

Before going further on, let us claim the following lemma. It shows that from 
now on, Rule 1.1’ will not be used anymore. 

Lemma 6 . If one assumes -■Encrypt 4 in game G 4 , any plaintext L included in a 
flow received via a Send -query is recorded in A # (possibly with one more element 
if L has been decrypted by T>' pw , and thus corresponds to a down-flow). 

Game G 5 : In the above game G 4 , one can remark that knowledge of the xfs 
is not needed, one could only be given an instance V = D(x -\ , . . . , x n ) of the 
TG-CDH„ with its solution g Xl '" Xn only. 

But while the xfs are not needed to construct the triangular structure [Lq, 
. . . ,L n }, the ajj’s are needed to compute Kj. This value is in turn used to compute 
the session key sk n t and therefore needed to answer to the Reveal-query and 
Test-query. Thus, if we want to avoid the use of the xfs, we need to find another 
way to compute Kj. 

Fortunately, it is possible: according to Lemma 0 if Encrypt 4 did not occur 
then the upflow V = ( P(L, Xip\, Vifij) has been generated by the Rule 1.1 with 
as input of L = 0. v). Let us recall that L" corresponds to the n first 

elements of the tuple 9', o'), k = g Xl '" Xn i s the last component of L n 

and O' is equal to the product 6[ ■ ■ ■ 0' n . We can now compute Kj by modifying 
Rule 3 to be: 

Rule 3.1: Kj = t i v & 'Pjs, . And then, the session keys can been 
computed without the xfs. 

Lemma 7. Rule 3 and Rule 3.1 lead to the same result. 

By Lemma 0 the games G 4 and G 5 are perfectly indistinguishable, as soon as 
Encrypt 5 does not occur. 

Pr[S 5 ] = Pr[S 4 ]. (5) 

Game G 6 . Finally, we are just given an instance V = T>(xi , . . . , x n ) of the 
TG-CDH„ without its solution . Then, if the adversary helps us to get 

some Kj, we have solved the TG-CDH n problem (and we are done, see the 
Lemma 0 below) . 

However, since we do not know n, we can no longer compute Kj and can not 
therefore answer to Reveal-oracles (and the Test-query). We simply simulate the 
Reveal-oracles (even for a Test-query), by answering a random value, without 
asking the hash oracle K. 

Let us denote by AskH the event that A makes a hash-query of the form 
(W||FI„|| Kj), where Fl rl is the down-flow received by any 17*. Unless neither 
AskH occurs (nor Encryptg) games G 5 and G 6 are perfectly indistinguishable: 


Pr[S 6 | -lAskH] = Pr[S 5 | -lAskH]. 


(6) 
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The probability of event AskH is upper-bounded in the following lemma. Let us 
recall that qh denotes the number of hash-queries asked by the adversary. 

Lemma 8. Pr[AskH] < g ft SucCg Cdhn (T + ( q a + qE)nT G ). 

In this game, answers to the Reveal-queries, and thus to the Test-query, are 
purely random. Then, it is straightforward to see that 

Pr[S 6 ] = i. (7) 

From Lemma 0 and Equations ©, ©, we get: 

| Pr[S 5 ] - * | = | Pr[S 5 ] - Pr[S 6 ]| < Pr[AskH]. 

Finally, from Equations (HJ . (EJ), (E3J ■ 0) and (0, and Lemmas El B we get: 

I Pr [So] - ^1 < Pr[Encryptj + % + gfcSuccJf cdh " (T 4- (q a + qE)nT G ). (8) 

I z I q 

6.3 Probability of Event Encrypt! 

The security against dictionary attacks is measured by the probability that the 
event Encrypt! occurs. To evaluate this probability, we define a game wherein 
the view of the adversary is perfectly independent from the password pw, in the 
information theoretical sense. First, let us note that the games G 2 , G 3 , G 4 and 
G 5 are perfectly indistinguishable, and thus 

Pr [Encrypt 5 ] = Pr [Encrypt^. (9) 

We define an auxiliary game G@ similar to game G 5 except that we answer 
differently to a Send(/7*, Fl)-query when instance 77 \ is waiting for an up-flow. 
In this game Gg, we in fact re-define all coefficients used by the random self- 
reducibility and entirely re-blind fine Lf. 

Rule 1.2: Whatever appears in A& so far, we choose a random ex- 
ponent v e Z*, a full vector 6 e (Z*) n and compute L' = 0, u). 

We then update A&. 

By LemmaEl the plaintext L' is indistinguishable from a random plaintext in 
G l+1 and, therefore, the simulation is completely independent from the password 
pw. So we have 

Pr[Encryptg] = q s /N. (10) 

Moreover the only difference between games Gg and G 5 is in the way the 
Send-queries are answered. On input of a line L = (ai, . . . , a»-i, a*), the Rule 1.1 
generates line L' = (a" x , . . . . . a" . a\ x ) while the Rule 1.2 generates L" = 

(g r °, . . . , g r ' ) . Using the classical hybrid technique we can obtain: 

| Pr[Encryptg] - Pr[Encrypt 5 ] | < q s Adv^ ddh » (T + (q 3 + q B )nT G ). (11) 
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Finally, Equations ©, gu and (ED lead to 

Pr[EncryptjJ < ^ + q s Adv^ ddhn (T + (q s + q E )nT G ). 

Note that q E is the size of A E \J A' E and it is thus equal to q e plus the number 
of queries asked by our simulation (at most two per Send-query): q E < q e + 2 q s . 
This note, combined with Equation (0, concludes the proof. □ 

7 Forward-Secrecy 

The above proof does not deal with forward-secrecy. Considering forward-secrecy 
requires to take into account a new kind of query that we call the Corrupt-query 
(any other kinds of queries can still be asked after this one): 

— Corrupt(C/): This query models the attacks resulting in the password pw to 
be revealed. A gets back from his query pw but does not get any internal 
data of U. 

Then we define a new flavor of freshness, saying that an oracle iZ| is Fresh 
(or holds a Fresh key sk ) if the following conditions hold. First, no Corrupt- 
query has been made by the adversary since the beginning of the game. Second, 
nj has computed a session key and neither IJf nor its partners have been asked 
for a Reveal-query. The partnering notion is more formally defined in the full 
version of this paper |S| . 

This security level means that the adversary does not learn any information 
lished session keys when making a Corrupt-query. We thus 
the advantage an adversary can get on a fresh key, with 
the ability to make a Corrupt-query. 

Theorem 2. Let P be the EKE protocol, SK be the session-key space and 
Password be a finite dictionary of size N . Let A be an adversary against the 
AKE security of P within a time bound T, after q s interactions with the parties, 
qh hash-queries, and q e encryption/decryption queries. Then, there exists k <n 
such that: 

Advp efs (_4) < ^ + 2 5s Adv£ ddh »(T') + 2n\ n s q h S U zcf iK {T') + . 

where T' <T + Qnr G , Q = 5 q s + q e and t g is the time of computation required 
for an exponentiation in G. (Recall that q is the order of<&). 

Proof. The proof of this theorem is given in the full version of this paper 0. 

8 Mutual Authentication 

The well-known approach for turning an Authenticated Key Exchange (AKE) 
protocol into a protocol that provides mutual authentication (MA) is to use the 


about previously estat 
denote by Advp efs (A) 
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shared session key to construct a simple “authenticator” for the other parties. 
In HU], we already described the transformation, and justified its security in the 
random-oracle model. The first analysis has been done before in the two-party 
case in |5|. 

9 Conclusion 

This paper provides the first formal treatment of the authenticated group Diffie- 
Hellman key exchange problem that encompasses dictionary attacks. Addressed 
in this paper are two security goals of the group Diffie-Hellman key exchange: the 
authenticated key exchange and the mutual authentication. For each we present 
a definition, a protocol and a security proof in both the random oracle model 
and the ideal-cipher model that the protocol meets its goals. Furthermore, we 
consider forward-secrecy, even if the reduction is not very efficient. Reducing 
the ideal-cipher model assumption and improving the reduction for the forward- 
secrecy are still open problems. 
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Abstract. We consider communication sessions in which a pair of par- 
ties begin by running an authenticated key-exchange protocol to obtain 
a shared session key, and then secure successive data transmissions be- 
tween them via an authenticated encryption scheme based on the session 
key. We show that such a communication session meets the notion of a 
secure channel protocol proposed by Canetti and Krawczyk [9] if and 
only if the underlying authenticated encryption scheme meets two new, 
simple definitions of security that we introduce, and the key-exchange 
protocol is secure. In other words, we reduce the secure channel require- 
ments of Canetti and Krawczyk to easier to use, stand-alone security 
requirements on the underlying authenticated encryption scheme. In ad- 
dition, we relate the two new notions to existing security notions for 
authenticated encryption schemes. 


1 Introduction 

We consider communication sessions in which a pair of parties begin by running 
an authenticated key-exchange (KE) protocol to obtain a shared session key, 
and then secure successive data transmissions between them via an authenti- 
cated encryption scheme, a shared- key-based encryption scheme whose goal is to 
provide both privacy and authenticity, based on the session key. Many popular 
Internet protocols follow this structure fl II 51 1 I I'iTil . One reason is that it mini- 
mizes computationally intensive public-key cryptography by using more efficient 
symmetric-key cryptography for the bulk of the communication. 

At Eurocrypt 2001, Canetti and Krawczyk presented security definitions for 
protocols of this form ^]. They refer to such protocols as network channel proto- 
cols (or channel protocols for short). In their work, they derive a realistic adver- 
sarial model from [2j and formulate security definitions using a mixture of both 
simulation-based and indistinguishability-based approaches. The former allows 
them to realistically and naturally capture the security properties of channel 
protocols and the settings in which the protocols are deployed. The latter allows 
them to prove security of the protocols with relative ease. The result is the notion 
of secure channels, a notion that captures the desired security properties of the 
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communication channels themselves, rather than those of the components used 
in constructing them, namely the underlying authenticated encryption schemes. 

In contrast, most existing work has traditionally focused on security prop- 
erties of encryption schemes. Examples include indistinguishability notions for 
asymmetric encryption schemes pioneered in m and adapted to symmetric-key 
settings in [3|, non-malleability notions defined in lldldl and refined in [8|, and 
integrity notions defined in II 9151201 . Due to the simplicity and ease of use of 
these definitions, this approach has proved fruitful and has become the standard 
way to prove security of encryption schemes. 

Our work uses this traditional approach to investigate security properties of 
the authenticated encryption schemes underlying channel protocols. In particu- 
lar, our goal is to address the following question. Suppose one takes a “secure” 
KE protocol and combines it with an authenticated encryption scheme as de- 
scribed above to obtain a channel protocol. What are the necessary and sufficient 
conditions on the underlying authenticated encryption scheme for the resulting 
channel protocol to be a secure channel per 0? The answer to this question will 
allow us to analyze security of channel protocols in a modular fashion: first con- 
sider the underlying KE protocol and the underlying authenticated encryption 
scheme separately, then determine whether the former is “secure” and whether 
the latter meets the necessary and sufficient conditions. If both are affirmative, 
then the channel protocol in question is a secure channel. Not only does this ap- 
proach simplify protocol analysis, but the necessary and sufficient conditions also 
help distill exactly the security properties of authenticated encryption schemes 
that are needed to obtain secure channels. This understanding can help guide 
cryptographers in designing future schemes for building secure channels. 

Krawczyk has already made some progress in this direction in ED|: he pro- 
vides a necessary condition for a class of authenticated encryption schemes, 
namely those constructed via the “Authenticate-then-Encrypt” method^ to 
yield a secure channel, assuming that the underlying KE protocol is “secure.” 
Our goal is to provide both necessary and sufficient conditions that are easy-to- 
use and can be applied to any authenticated encryption schemes, as opposed 
to schemes of a certain form. To this end, we use the traditional approach of 
defining security since it yields definitions that are simple and relatively easy to 
use. 

Security Model of Canetti and Krawczyk. In 0, Canetti and Krawczyk 
use the adversarial model of 0 : an adversary is in control of all message delivery 
and the execution of the protocol. In particular, once the setup phase of the 
protocol is completed, all parties in the system simply wait for activations from 
the adversary. Possible activations include sending messages, receiving messages, 
and establishing a session. Messages are delivered solely by the adversary under 

1 Under this paradigm, a message authentication scheme and an encryption scheme 
are composed to obtain an authenticated encryption scheme as follows. To encrypt a 
message M, first compute its MAC via a message authentication scheme and encrypt 
the concatenation of M and the MAC to obtain the ciphertext to be transmitted. 
Decryption works in a natural way. 
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either of the following models: the Authenticated-links Model (AM) and the 
Unauthenticated-links Model (UM). Both models allow the adversary to drop 
messages and to deliver them out of order. In the former, an adversary cannot 
inject messages and must deliver messages without modifications. In the latter, 
it can inject fabricated messages and modify messages before delivering them. 
Section U. II describes the security model of 0 in more detail. 

Canetti and Krawczyk also present a security definition for KE protocols 
based on the approach of |E| in this adversarial model. Intuitively, they consider 
a KE protocol to be secure if, when the two parties involved in the exchange 
complete the protocol, (1) they arrive at the same session key, and (2) it is hard 
for an adversary to distinguish the session key from a random value chosen from 
the distribution of keys generated by the protocol. 

Secure Channels. Canetti and Krawczyk define a secure channel as a channel 
protocol that is both a secure (network) authentication protocol and a secure 
(network) encryption protocol. The definition of the former uses a simulation- 
based approach: a protocol secure in this sense must emulate ideal message 
transmissions where the notion of emulation amounts to computational indistin- 
guishability of protocol outputs. To this end, 0 defines a session-based message 
transmission (SMT) protocol, a protocol that does nothing more than its name 
suggests. For example, to establish a session, a party simply records in its output 
that a session has been established. To send a message, a party simply puts the 
message in the message buffer and records in its output that the message has 
been sent. 

The definition of secure encryption protocols applies an indistinguishability- 
based approach similar to the “find-then-guess” game in 0 (which in turn is 
an adaptation of semantic security of El into the symmetric setting) in this 
adversarial model. Specifically, the protocol is run in the UM against an adver- 
sary which, at some point during the run, chooses a session it wishes to break. 
The rest of the run closely follows the standard find-then-guess game with a few 
important exceptions. See Section 12.21 for details. 

Capturing the Essence of Secure Channels. Following 0, we define a 
transform to specify how the channel protocols considered in this paper are gen- 
erated: given a KE protocol 7 r and an authenticated encryption scheme AS, we 
associate with them a channel protocol NC = NetAE(7r, AS) obtained by apply- 
ing the transform to n and AS. This transform is defined in Section 12.21 We 
focus on protocols constructed via this transform. Our goal is to find simple 
necessary and sufficient conditions on the underlying authenticated encryption 
scheme such that the protocol is a secure channel, assuming that the KE pro- 
tocol is secure. We define two simple notions: SINT-PTXT and IND-CCVA. 
The former (resp. the latter) is a necessary and sufficient condition on the un- 
derlying authenticated encryption scheme such that the channel protocol is a 
secure authentication (resp. encryption) protocol. In effect, this reduces the se- 
cure channel requirements of Canetti and Krawczyk to easier to use, stand-alone 
security requirements on the underlying authenticated encryption scheme. 
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We define the two notions using the traditional approach: we give an adver- 
sary access to certain oracles, run it in an experiment, and then measure the 
probability that it succeeds. Section 0 describes these notions in detail. Precise 
statements of our main results are presented in Section [|] along with the proof 
ideas. 

Technical Issue. The notion of secure authentication protocols captures rea- 
sonable authenticity guarantees such as resistance against replay attacks and 
forgeries. Therefore, to determine if a channel protocol provides authenticity 
when these attacks are of concern, one needs simply determine whether the pro- 
tocol is a secure authentication protocol. However, due to a technical issue arisen 
from the notion of secure encryption protocol per [0|, the same cannot be said 
regarding privacy. In particular, there exists a channel protocol that clearly does 
not provide semantic security m (i-e., partial information about transmitted 
messages may be leaked) and yet is provably a secure encryption protocol. Ar- 
guably, however, this technical issue does not arise in many practical protocols, 
including the popular SSH, SSL, and TLS. Consequently, the notion of secure 
encryption protocol can still be applied to these protocols to obtain meaningful 
results regarding their privacy guarantees. Section 0 discusses this issue in more 
detail. 

Future Work. Canetti and Krawczyk have recently proposed an alternative 
notion for secure channels that implies their secure channel notion of 0. This 
new notion is called universally composable secure channels [TT)1 . It provides 
strong composability guarantees, which means that its security guarantees hold 
even if the channel protocol is used in combination with other protocols. Thus, a 
natural research direction is to determine whether we can use the same approach 
taken here to derive simple necessary and sufficient conditions for an authenti- 
cated encryption scheme to yield a universally composable secure channel. 


2 Definitions 

2.1 Preliminaries 

Since the authenticated encryption schemes considered in 0 have stateful de- 
cryption algorithms, we modify the standard syntax of symmetric authenticated 
encryption schemes, which assumes that decryption algorithms are stateless [3J , 
to allow for stateful decryption algorithms. We also explicitly specify the syntax 
of a message-driven protocol based on PE| and restate the security model of 0 
in more detail here. 

Syntax of (Symmetric) Authenticated Encryption Schemes. A (sym- 
metric) authenticated encryption scheme AS — (1C, S. D) consists of three algo- 
rithms. The randomized key generation algorithm /C takes as input a security 
parameter k £ N and returns a key K: we write K <— K.(k). The encryption 
algorithm £ could be randomized or stateful. It takes the key K and a plaintext 
M to return a ciphertext C\ we write C <— £k[M). The decryption algorithm 
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V could be deterministic, and it could be either stateless or stateful. It takes 
the key K and a string C to return either the corresponding plaintext M or the 
symbol _L; we write x <— T>k(G) where x £ {0, 1}* U {_L}. Above, a randomized 
algorithm flips coins anew on each invocation, and a stateful algorithm uses and 
then updates a state that is maintained across invocations. 

Since the decryption algorithm is allowed to be stateful here, the usual cor- 
rectness condition, which requires that T>k(£k(M)) = M for all M in the 
message space, is replaced with a less stringent condition requiring only that 
decryption succeed when the encryption and decryption processes are in syn- 
chrony. More precisely, the following must be true for any key K and plain- 
texts Mi, M 2 , Suppose that both £ K and V K are in their initial states. For 

1 = 1,2,..., let C'i = £ K (Mi) and let M[ = D K {Ci). It must be that Mi = M[ for 
all i. Notice that this imposes no correctness requirement when ciphertexts are 
decrypted out of order. It is up to an individual scheme to decide how to handle 
ciphertexts that are decrypted out of order. For example, it can reject all such 
ciphertexts or accept only the ones that decrypt to certain seen messages. We 
stress that since this requirement is a part of the syntax of encryption schemes, 
it is liberal by design (messages that arrive out of order can have arbitrary de- 
cryptions under this requirement!) 0 The goal here is to ensure that as many 
encryption schemes as possible can be analyzed under the security notions of 
interest. 

Syntax of Message-Driven Protocols. A message-driven protocol NC = 
(IQ,B,I, x, l,n,r, activation list) consists of three algorithms, four positive inte- 
ger parameters, and a list of activations that can be invoked on a party along 
with instructions on how the party should handle them. Let k £ N be the se- 
curity parameter. The parameter n specifies the upper bound of the number of 
parties in the system. The randomized input generation algorithm IQ takes as 
inputs k and an x-bit string and returns n strings (xi , . . . , x n ). The randomized 
bootstrapping algorithm^ B takes as inputs k and an Z-bit string and returns 
n + 1 strings (Iq , . . . , /„). For each party Pi, the possibly randomized initial- 
ization algorithm I takes as inputs Iq. Ij, Xf, and an r-bit string. Executing the 
initialization algorithm may cause the party to update its internal state, to gen- 
erate outputs to be appended to its local output, and/or to produce messages to 
be sent to other parties. 

Message-Driven Protocol Execution jHj . Let k e N be the security pa- 
rameter. A protocol NC = (IQ, B,I, x, l,n,r, activation list) is executed against 
an adversary as follows. First, random coins for IQ, B, and I are generated, and 
IQ and B are executed. Then, each party Pi executes the initialization algorithm 
I giving it appropriate inputs as described above. When the initialization algo- 

2 Recall that syntax and security notion are two separate concepts. Apparently “inse- 
cure” schemes such as one that allows arbitrary decryptions for messages that arrive 
out-of-order are in fact legitimate encryption schemes, i.e. they follow the syntax 
defined here. However, they are not secure under integrity notions, for instance. 

3 Also known as an initialization function in |2I9| . We drop their terminology here to 
avoid confusion with the initialization algorithm. 
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rithm completes, the party waits for incoming activations. Finally, the adversary 
is run using k, Jo, and as many random coins as it needs. The adversary takes 
over and activates any parties it wishes to at this point. 

Upon receiving an activation, a party executes the corresponding algorithm 
as specified in activation list. Again, the result of the execution may be internal 
state updates, local output generation, and/or outgoing messages. In the last 
case, the party appends the message in the message buffer M. along with its 
source, destination, and, in the case of a session-based protocol, the associated 
session. As an example, upon receiving a “send” activation from the adversary, 
a party finds the algorithm for handling a send activation in its activation list 
and executes the algorithm. This typically involves encrypting the message, ap- 
pending the ciphertext (along with its source, destination, and session ID) to 
Ai, and recording the event (e.g., a record to the effect “sent M to P within 
session s”) in the party’s local output. 

Protocol Output. The output of a running protocol is the concatenation of 
the cumulative local outputs of all the parties, together with the output of the 
adversary. Furthermore, since all actions of the adversary are recorded in the 
local outputs, they are part of the protocol output. 

Session-Based Message-Driven Protocols |2]. A session-based message- 
driven protocol defines at least two activations: establish-session and expire- 
session. They specify how each party can establish a session between itself and 
another. We denote by ( P , P', s ) a session defined by the initiating party P, the 
responding party P', and the session ID s. The two parties P and P' are said 
to play the roles of an initiator and a responder, respectively. Two identical ses- 
sions (i.e., identical session IDs, participating parties, and their respective roles) 
from the point of view of the initiator and the responder are called matching 
sessions. The defining feature of session-based protocols is that individual ses- 
sions are maintained separately from one another even when they are established 
between the same pair of parties. 

Key-Exchange Protocols. A key-exchange (KE) protocol is a session-based 
message-driven protocol that specifies how two parties can establish a shared 
session key to be used during a session. Upon an establish-session activation, 
a party triggers a sub-protocol to establish a session with another party. This 
sub-protocol will likely result in further activations such as message sends and 
receipts. Once the sub-protocol completes, the two parties write on their outputs 
the resulting session key and mark the entry as “secret.” Note that, although 
potentially confusing, the term “key-exchange protocol” is commonly used in 
the literature to refer to this sub-protocol rather than the entire protocol. Upon 
an expire-session activation of a particular session, the party erases the corre- 
sponding session key from its output and any internal state it may have (e.g., 
its memory) and terminate the session. Notice that this means that a session 
can be unilaterally expired. The goal of this activation is to allow KE protocols 
to provide perfect forward secrecy of sessions, a property that past session keys 
remain secret even after long-term keys are compromised mm- 
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Network Channel Protocols. A network channel protocol (or a channel 
protocol for short) is a session-based message-driven protocol with two additional 
activations: send and incoming. They specify what a party running the protocol 
should do to send and to receive a message. 

Power of an Adversary. When interacting with parties executing a session- 
based message-driven protocol, an adversary is allowed to access the contents of 
each party’s local output except those marked as “secret.” It can also perform 
the following actions: party activation, party corruption, session-state reveal, and 
session-output reveal. In addition to these actions, an adversary against a KE 
protocol can also perform a session-key reveal action against a party to obtain a 
session key. A session is considered exposed if it belongs to a corrupted party, 
has been subjected to a session-state reveal, a session-output reveal, a session-key 
reveal, or has a matching session that has been exposed. 

Authenticated and Un authenticated Links Models. In the Authenti- 
cated-links Model (AM) , the adversary can perform all of the actions mentioned 
above. Furthermore, all message delivery is performed by A: to deliver a message 
in the message buffer M, the adversary A removes it from A4 and activates the 
receiving party with the message as an incoming message. We emphasize that 
A can deliver messages in any arbitrary order and can drop messages from A4 
entirely. However, it cannot deliver messages that are not in A4, and when it 
does deliver a message, it must do so without any modifications to the message. 
On the other hand, in the Unauthenticated- links Model (UM), not only can a 
UM adversary perform all of the actions permitted to an AM adversary, but it 
can also deliver messages that are not in M. or modify messages in M. before 
delivering them. 

Notation. We use |r| to denote the length in bits of a string r. Let k £ N be 
the security parameter, and let U be an adversary. Let NC = (IQ, B, n, r, 

activation list) be a session-based message-driven protocol. We follow the nota- 
tion of [2I9| for the protocol output. We describe it here in detail for the UM. 
The AM is done similarly except that the bootstrapping algorithm is ignored 
and its outputs are omitted. We denote by UNADY OTi c/(fc, x, r) the output of the 
UM adversary U running against parties executing the protocol 7 r with security 
parameter k, inputs x = (x\, . . . , x n ), and coins f = r' , r" ,vq, , r n where |r'| = 
x, \r"\ = l, and |r 0 | = . . . = |r„| = r. We denote by UNAUTH 7r)C /(/c, x, r% the cu- 
mulative output of the party Pi running the protocol 7r with security parameter 
k, inputs x, and coins r against the UM adversary U . Then, we let the protocol 
output UNAUTH 7rj j/(fc, x,r) = UNADV 7r , t/ (fc, x, r), UNAUTH 7r)C/ (fc, x, r)i, . . . , 
UNAUTH 7ri( /(A;, x, r) n and let UNAUTH 7r f ;/(fc) be the random variable describ- 
ing UNAUTHtt t u(k, x, r) when r is randomly chosen and x is generated via 
IQ(k,r'). We denote by UNAUTH*,^ the ensemble {UNAUTH WjC/ (fc)} fceJV . 

2.2 Secure Channels per Canetti and Krawczyk [9] 

In |0J , Canetti and Krawczyk define a secure channel as a channel protocol that 
is both a (secure) authentication protocol and a (secure) encryption protocol. 
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For authentication protocols, their approach is to first define a protocol con- 
sidered ideal as a message authentication protocol called the SMT protocol. A 
channel protocol is considered a secure authentication protocol if it emulates 
the SMT protocol in the UM. Below, we present the concept of protocol emula- 
tion, the SMT protocol, and the definition of secure authentication protocols in 
Definition 0 Construction [5J and Definition |3J respectively. 

Definition 1 (Protocol Emulation [2pt)j ) . Let n, n' be message-driven pro- 
tocols. We say that it' emulates n in the UM if, for any UM adversary U, there 
exists an AM adversary A such that AUTH^a and UNAUTH^p are computa- 
tionally indistinguishable. | 

Construction 2 (SMT Protocol 0)- The protocol SMT is a session-based 
message-driven protocol with the following activations: establish-session, expire- 
session, send, and incoming. Upon an establish-session activation, a party records 
the event accordingly in its output. Upon an expi re-session activation, a party 
checks that the session exists, marks the session as expired, and records the event 
accordingly in its output. When a party receives a send activation involving a 
message, a partner, and a session ID, it checks that the session is established and 
is not expired. If so, it sends the given message to its partner via the specified 
session. Then, it records the event accordingly in its output. Finally, upon an 
incoming activation, a party checks that the session is established and is not 
expired. If so, it records the event accordingly in its output. I 


Definition 3 (Network Authentication Protocol Security jSj). A proto- 
col is considered to be a secure authentication protocol if it emulates the SMT 
protocol in the UM. | 

In defining secure encryption protocols, 0 adapts the indistinguishability-based 
approach to a multi-party computation setting. We present their security defi- 
nition here. In what follows, the activation send*(P, Q, s, Mb) has the same ef- 
fects as send (P,Q,s,Mb) except that the party Q merely records the fact that 
a message is sent but not the actual contents of the message, i.e., P records 
the entry “sent a message to Q within session s" . Similarly, the activa- 
tion incoming* (Q, P, s, C, Mb) has the same effects as incoming(Q, P, s, C ) except 
that, if the decrypted message of C is equal to Mb, then Q merely records the 
fact that a message is received but not the actual contents of the message Mb, 
i.e., Q records the entry “received a message from P within session s”. 

Let b be a bit. In the experiment below, an adversary U runs in the UM, and 
its goal is to break one session of its choice by performing an action called test- 
session against the session and then doing what it can to guess the bit b. Once 
U picks a session, say ( P,Q,s ), it outputs a pair of messages, say (Mo, Mi). 
The sender P is then activated to send Mb- However, if P records in its lo- 
cal output at this point that it sends Mb, then U can easily win the game by 
simply looking at P’s output. Therefore, P is activated with send*(P, Q, s, Mb), 
rather than a regular send activation. The rest of the run continues in the same 
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way as before except that now the receiving party of the tested session uses 
incoming* (Q, P, s, C, Mb) to handle incoming messages. The reason for this is 
the following: if Q records all decryptions of incoming ciphertexts, U can easily 
determine the bit 6 by simply taking the challenge ciphertext corresponding to 
Mb, handing it to Q as an incoming ciphertext, then seeing what Q writes on 
its output. The activation incoming* prevents this trivial attack. 

Unfortunately, the game in its present form allows U to easily win via an- 
other trivial attack. Suppose the tested session is ( P,Q,s ). First, U picks any 
message M, activates P with a send activation to send M to Q via s, and out- 
puts the challenge message pair (M,M') where M ^ M'. As a result of the 
send activation, P encrypts M to obtain a ciphertext C and appends C to the 
message buffer. Now, U activates the receiver Q with the ciphertext C as an 
incoming message from P via session s. If Q does not record the decrypted mes- 
sage, then C corresponds to M, and thus 6=0. Otherwise, C corresponds to 
M', and thus 6=1. Therefore, to prevent this trivial attack, 0 requires that 
an adversary never ask for an encryption of a particular message more than 
once. This requirement can be easily implemented using counters. For example, 
the encryption algorithm can prepend an internal counter to the input message 
before encrypting the resulting string to obtain the ciphertext. In fact, the use 
of this mechanism is common in practical Internet protocols including SSH 
SSL |1 ■ F )lj . and TLS |l 1 1 . Definition 0 below describes the security of network 
encryption protocols more precisely. 

Definition 4 (Network Encryption Protocol Security [2|). Let k £ N. 

Let NC = (TQ,B,I, x, l,n,r, activation list) be a channel protocol. Let U be a 
UM attacker, and let ru- N — > N be the function specifying the upper bound of 
the running time of U in terms of k. Consider the following experiment: 
Experiment Exp l ^“y e “ b (fc) 

r’ £- {0, 1} X ; r" A (0, l } 1 ; r 0 A {0, l} r ^ fc ) 

{xi , . . . , x n ) <- TQ(k, r') ; (J 0 , B(k, r") 

For i = 1, . . . ,» do r, A {0, l} r ; start Pi on (J 0 , Jj, x^, r*) 

Run U on input (k,I 0 ,r 0 ), carrying out C/’s actions as specified in NC 

> When U submits test-session (T,, Pj. s 0 ) and outputs (M 0 ,Mi) 

— Activate Pi with send* (Pi, Pj, .sq, Mf,) 

> Continue carrying out C/’s actions as specified in NC except 
— Whenever U activates Pj with incomingfPj, Pj, .so, C), 

Activate Pj with incoming*^-, Pj, s 0 > C, Mb) instead 
Until U halts and outputs a bit d 
Output d 

Above, it is required that U submit only one test-session query and that it 
not expose the tested session thereafter. Furthermore, for the tested session, we 
require that U never invoke send activations involving Mg or Mi and also never 
invoke send activations involving a particular message more than once. We define 
the advantage of the adversary via 

Adv NC,'i7 e ( fc ) = Pr [ Ex P I N n c’(7 e ' 1 ( fc ) = !] - PrlExPNC^^fc) = !] • 
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The channel protocol NC is said to be a secure encryption protocol in the UM 
if the function Adv'^ 1 TO) is negligible for any UM adversary U whose time- 
complexity is polynomial in k. | 


2.3 From KE and Authenticated Encryption Schemes 
to Channel Protocols 

In Pj, Canetti and Krawczyk use a template by which one can describe how a 
KE protocol and an authenticated encryption scheme can be used as building 
blocks for a channel protocol. We define a transform based on this template. 

Construction 5 (Transform @). Let n = (XQ,B,X,x,l,n,r, activation list) 
be a KE protocol, and let AS = (/C, S, V) be an authenticated encryption 
scheme. We associate with tt and A£ a channel protocol NAE = NetAE(7r, AS) = 
(XQ,B,X,x,l,n,r,a\\st) where alist contains the activations in activation list to- 
gether with the following activations. 

1. establish-session(Pj, Pj, s, role): This triggers a KE-session under 7 r within Pi 
with partner Pj, session ID s, and role E {initiator, responder}. If the KE- 
session completes, Pj records in its local output the entry “established 
session s with Pj ” and the generated session key marked as “secret.” Oth- 
erwise, no action is taken. 

2. expi re-session (Pj, Pj, s): If the session (Pj,Pj,s) exists at Pj, the party Pj 
marks the session as expired and erases the session key. Then, Pj records 
in its local output “expired session s with Pj”. Otherwise, no action is 
taken. 

3. send (Pj, Pj, s, Af): The party Pj checks that the session (Pj,Pj,s) has been 
completed and not expired. If so, it computes C A £k(M) using the cor- 
responding session key K, puts (Pj,Pj,s,C) in the message buffer M, and 
records “sent M to Pj within session s” in the local output. Other- 
wise, no action is taken. 

4. incoming(Pj, Pj, s, C): The party Pj checks that the session (Pj,Pj,s) has 
been completed and not expired. If so, it computes M <— T>k(C) under the 
corresponding session key K. If M ^ _L, then Pj records “received M from 
Pj within session s”. Otherwise, no action is taken. | 

3 Simple Characterizations of Authenticated Encryption 
Schemes for Secure Channels 

We propose two new security notions for authenticated encryption schemes: 
SINT-PTXT (for strong integrity of plaintexts) and IND-CCYA (for indistin- 
guishability against chosen-ciphertext attacks with verification). The goal is to 
capture the necessary and sufficient properties of the authenticated encryption 
scheme such that, once the transform per Construction Elis applied to the scheme 
and a KE protocol, the resulting channel protocol is a secure channel, assuming 
that the KE protocol “securely implements” the key generation algorithm of the 
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authenticated encryption scheme. We postpone a precise definition of the term 
in quotes to Section @] In what follows, we use x <— f(y) to denote the pro- 
cess of running a possibly randomized algorithm / on an input y and assigning 
the result to x. If A is a program, A <= x means “return x to A.” The time- 
complexity referred to in our definitions is the worst case total execution time of 
the entire experiment, plus the size of the code of the adversary, in some fixed 
RAM model of computation. Also, oracles corresponding to stateful algorithms 
maintain their states across invocations. 

First, we capture the notion of a secure authentication protocol with SINT- 
PTXT. Recall that a protocol is considered a secure authentication protocol if 
it emulates the SMT protocol in the UM where SMT is an ideal session-based 
message transmission protocol. Under the SMT protocol in the AM, when a 
party sends a message M to another party, the message M is simply put on the 
buffer. Since the adversary is operating in the AM, it can drop messages but 
cannot modify or inject messages. Therefore, a secure authentication protocol 
must ensure that each sent message is received at most once (i.e., replay attacks 
are unsuccessful), and that its contents are left intact. 

We define the SINT-PTXT notion in Definition 0 An adversary is given 
access to an encryption oracle and a decryption oracle. This captures its ability 
to obtain encryption and decryption of messages and ciphertexts of its choice. 
We use a multiset, denoted T below, to keep track of messages that have been 
sent but not yet received. Whenever a message is received, it is removed from 
the multiset. If an adversary is able to submit a query to the decryption oracle 
that results in a message that is not in the multiset T, i.e., the message is not 
one of those waiting to be received, then it wins. 

Definition 6 (SINT-PTXT). Let A£ = ( 1C,£,D ) be an authenticated en- 
cryption scheme. Let k £ N. Let A be an adversary with access to two oracles. 
Consider the following experiment. 

Experiment Exp^. t ‘ j ^ txt (fc) 

K £- K{k) ; T -e- 0 // T is a multiset 

Run A £K ^ Dx ^(k) 

Reply to £k(M) as follows: 

C £- £ k {M) ; T <- T U {M} ; A <= C 
Reply to V K {C) as follows: 

M^V k (C) 

If Mm A. Then A <= M 
Else If M G T Then T <- T - {M} ; A M 
Else return 1 

Until A halts 
Return 0 

We define the advantage of the adversary via 


Ad vl£f Xt (*) = Pr[Exp^ txt ( fc ) = i] * 
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The scheme AS is said to be SINT-PTXT secure if the function Adv^'g j >txt (-) 
is negligible for any adversary A whose time-complexity is polynomial in k. | 

Now, we capture the notion of a secure encryption protocol. To capture an adver- 
sary’s ability to obtain encryption and decryption of messages and ciphertexts 
of its choice, we give it access to an encryption oracle £k{) and a decryption 
oracle Dk(-)- The definition follows that of 0 closely and straightforwardly. Let 
b £ {0,1}. Recall that, in the definition of secure encryption protocol per 0, 
once the adversary outputs a challenge message pair (M 0 , Mi), the receiver of the 
tested session does not record the decrypted message if it is equal to the secret 
message Mb. Therefore, we capture this through an oracle denoted by D K (-,Mb). 
This oracle is the same as the standard decryption oracle D K {-) except the fol- 
lowing. If a given ciphertext decrypts to M b , then the oracle D K (-,Mb) returns 
a special symbol ±. Otherwise, it returns the decrypted message. Additionally, 
since an adversary in the definition per 0 cannot obtain encryptions of a par- 
ticular message more than once, we also impose the same restriction on the 
adversary in our experiment. 

Definition 7 (IND-CCVA). Let AS = ( K.,S,T > ) be an authenticated encryp- 
tion scheme. Let b £ {0, 1} and k £ N. Let A be an adversary that has access to 
three oracles. Consider the following experiment. 

Experiment Exp^|'“ va ' 6 (fc) 

K £- K.{k ) 

(. M 0 ,M 1 ,st ) <- A e *U' v *U{k, find) 

(7 A S K (M b ) 

d <- guesS; c> st ^ 

Return d 

The computation £x{Mb) above is a call to the encryption oracle. Also, the 
oracle T>k (•, M b ) shares states with (i.e., is initialized with the current states of) 
Vk{-) if any. Furthermore, we require that A never query Sk(') on Mo or Mi 
and also never query S K { ■) on a particular message more than once. We define 
the advantage of the adversary via 

A dv^;i cva (fe) = PrlExp^X^fc) = 1] - Pr[Exp^ cva "°(fe) = 1] • 

The scheme AS is said to be IND-CCVA secure if the function Adv^)^ cva (-) is 
negligible for any adversary A whose time-complexity is polynomial in k. I 

4 SINT-PTXT and IND-CCVA 
are Necessary and Sufficient 

Our results use Definition 0 below. It describes how a key generation algorithm of 
an authenticated encryption scheme should relate to a KE protocol of a channel 
protocol based on the authenticated encryption scheme. In particular, the KE 
protocol should “implement” the key generation algorithm, meaning that two 
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parties that have completed the KE protocol with each other should end up with 
the same key which in turn should be drawn from the distribution generated by 
the key generation algorithm. The definition, which is adapted from 0, captures 
this property more precisely via the following game. Let k £ N be the security 
parameter. Let 17 be a session-based message-driven protocol that includes a 
KE protocol 7T as a sub-protocol, and let U be a UM adversary running against 
II. The adversary U can carry out actions specified in II plus one additional 
activation, namely a test-session-key query, against at most one unexpired and 
unexposed session s whose KE portion is completed. From this point on, U 
is not allowed to expose the tested session. Once U perform a test-session-key 
query, a bit b is chosen at random. If b = 0, then U receives the session key for 
s. Otherwise, it receives a value r <— JC(k). The adversary wins if it correctly 
guesses the bit b. 

Definition 8 (Securely Implementing a Key Generation Algorithm via 
a Key Exchange Protocol.). Let k £ N be the security parameter. A KE 
protocol 7 r is said to securely implement a key generation algorithm K. in the 
UM during the run of a protocol if, for any adversary U in the UM, 

— When an uncorrupted party completes 7T with another uncorrupted party, 
they both arrive at the same session key, AND 

— U wins the game above with probability no more than 1/2 plus a negligible 
function of k. | 

We present our main results here. They state that, respectively, SINT-PTXT and 
IND-CCVA are necessary and sufficient for the notions of network authentication 
and network encryption of Canetti and Krawczyk 0. We present the theorems 
and their proof ideas below. The full proofs in detail are in the full version of 
this paper EH- For brevity, we write X w Y when the ensembles X and Y are 
statistically indistinguishable. Note that statistical indistinguishability implies 
computational indistinguishability. 

Theorem 9 (Given a Secure KE, SINT-PTXT Secure Authentica- 
tion Protocol). Let AS = (JC,£,T>) be an authenticated encryption scheme, 
and let n be a KE protocol. Let NAE = NetAE(7r, AS) be the associated channel 
protocol as per Construction 0 Suppose that n securely implements K in the UM 
during the run of NAE. Then, AS is SINT-PTXT secure if and only if NAE is 
a secure authentication protocol. I 

We sketch the proof for each direction of the “if and only if,” assuming through- 
out that 7r securely implements 1C. For the “if” direction, we show that if AS is 
SINT-PTXT, then given any UM adversary U against NAE, we can construct 
an AM adversary A against SMT such that AUTHsmt.a s# UNAUTH NA ej 7 - The 
crux of this proof is essentially the same as that of Theorem 12 of [Sj, and thus, 
we do not discuss it further. 

For the “only if” direction, we show that, given any sint-ptxt adversary 
F against AS, we can construct a UM adversary U against NAE such that, 
for any AM adversary A against SMT, AUTH S mt,a $ UNAUTH nae[/ as fol- 
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lows. The adversary U starts two parties Pi and P%. Then, it activates Pi with 
establish-session(Pi, P2, s, initiator) and runs F. Whenever F submits an encryp- 
tion query Ek(M), the adversary U activates the party Pi with send(Pi,P2,M,s). 
Similarly, whenever F submits a decryption query T>k(C ), the adversary U acti- 
vates the party P2 with incoming^, Pi, C, s). Recall that a successful sint-ptxt 
adversary F can essentially replay a message or forge a ciphertext the decrypts 
to a previously-unseen message. Since such actions are not allowed in the AM, 
there can be no AM adversaries that can generate the global output that is 
statistically indistinguishable from that generated by U. 

Theorem 10 (Given a Secure KE, IND-CCVA <^> Secure Encryption 
Protocol). Let AS = (1C, S, D) be an authenticated encryption scheme, and let 
it be a KE protocol. Let NAE = NetAE(?r, AS) be the associated channel protocol 
as per Construction 0. Suppose that n securely implements K in the UM during 
the run of NAE. Then, AS is IND-CCVA secure if and only if NAE is a secure 
encryption protocol. | 

We sketch the proof for each direction of the “if and only if,” assuming through- 
out that 7 r securely implements K. For the “if” direction, we show that, given 
any ind-ne adversary U against NAE, we can construct an ind-ccva adversary A 
against AS such that A’s success probability is no less than that of U divided 
by the total number of sessions established by U over its run. The adversary 
A simply simulates U as in the experiment Expj^j^'^fc) (where b is a bit) 
with one exception: during the find phase, A chooses a session at random and 
uses its oracles to encrypt and decrypt messages in this session. If U submits a 
test-session query on the chosen session and outputs a pair of test messages, A 
does too. (Otherwise, A aborts.) Then, A enters its guess phase and continues 
the simulation exactly as before. It halts and outputs what U outputs. Since 7 r 
securely implements /C, the adversary A correctly simulates U. Thus, it succeeds 
if U does. 

For the “only if” direction, we show that, given any ind-ccva adversary A 
against AS, we can construct an ind-ne adversary U against NAE such that C/’s 
success probability is no less than that of U using a similar technique as before: U 
establishes a session between two parties, then runs A, answering its encryption 
and decryption queries by making send and incoming activations respectively 
for the session. Finally, U halts and outputs what A outputs. Since 7 r securely 
implements K, the adversary U correctly simulates A. Thus, it succeeds if A 
does. 

5 Understanding Secure Channels 

through SINT-PTXT and IND-CCVA 

We explore the new notions by taking the standard approach of relating them 
to familiar notions. Since the two notions are necessary and sufficient for se- 
cure channels, the knowledge we gain from this exercise is applicable to secure 
channels as well. In our comparisons, we use the following terminology. Suppose 


Secure Channels Based on Authenticated Encryption Schemes 529 



Fig. 1. Relations among notions of symmetric encryption: An arrow from a 
notion X to a notion Y denotes that X is strictly stronger than Y. A dashed line 
between a notion X and a notion Y denotes that the two notions are incomparable. The 
relations established in other papers are annotated with the corresponding citations. 
For simplicity, only interesting relations are shown here. We emphasize that the existing 
notions in this figure (those in unshadowed frames) are variants of the standard notions 
in the literature. In particular, the oracles here maintain states across invocations. 


X and Y are security notions. We say that X implies Y if any scheme secure 
under X is secure under Y. We say that X does not imply Y if there exists an 
encryption scheme that is secure under X but is insecure under Y . We say that 
A is equivalent to B if A implies B and vice versa. We say that X is strictly 
stronger than Y if X implies Y but Y does not imply X. Finally, we say that 
X and Y are incomparable if X does not imply Y and if Y does not imply X . 

In this section, we discuss relations among notions of symmetric encryption 
as summarized in Figure [0 Our strategy for showing that X implies Y is the 
standard reduction approach: given an adversary that successfully breaks the 
scheme under the notion Y, construct an adversary that successfully breaks the 
scheme under the notion X. To show that X does not imply Y, we start with a 
scheme secure under X, then modify it to obtain a scheme that remains secure 
under X but is insecure under Y. 

The standard privacy notions we consider here are indistinguishability under 
chosen-plaintext and adaptive chosen-ciphertext attacks (IND-CPA and IND- 
CCA). The original definitions of these notions were in the asymmetric setting 
[II 711 till but can be “lifted” to the symmetric setting using the encryption 
oracle based template of j3j- We use the “find-then-guess” definitions per [33 
throughout our discussions here. In particular, for both notions, an adversary 
A plays a game in which it is to “find” a pair of challenge messages (Mo, Mi), 
obtain the ciphertext corresponding to the encryption of one of the challenge 
messages, and then “guess” a bit indicating to which challenge message the 
ciphertext corresponds. For IND-CPA, A is given access to an encryption oracle 
throughout the game. For IND-CCA, A is given access to both an encryption 
oracle and a decryption oracle throughout the game. (This notion is also known 
as IND-CCA2 0.) 

The integrity notions considered here are integrity of plaintexts [5| and in- 
tegrity of ciphertexts |V11 91b] . An adversary attacking a scheme under these 
notions is given access to two oracles: a standard encryption oracle and a verifi- 
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cation oracle — an oracle that returns a bit indicating whether the given cipher- 
text is valid, i.e., whether it decrypts to _L. An adversary succeeds in breaking a 
scheme under the INT-PTXT notion if it can forge a ciphertext that decrypts to 
a “new” message, i.e., a message that has not been submitted to the encryption 
oracle before. Similarly, it succeeds in breaking a scheme under the INT-CTXT 
notion if it can forge a “new” and valid ciphertext, i.e., a valid ciphertext that 
has not been returned by the encryption oracle. 

Strictly speaking, the original definitions of the existing security notions 
considered here, namely IND-CPA, IND-CCA, INT-PTXT and INT-CTXT, do 
not explicitly deal with encryption schemes with stateful decryption algorithms. 
Therefore, to compare them to our proposed notions, namely IND-CCVA and 
SINT-PTXT, we make one small modification to existing definitions. Specifically, 
we allow each oracle used in the definitions to maintain states across invocations. 
It is easy to see that, this modification notwithstanding, the relations among ex- 
isting notions shown in 0 and 0 remain the same. It is also easy to see that 
any schemes secure under the original definitions are secure under the defini- 
tions with this modification. Henceforth, we use the original names to refer to 
the modified definitions. 

We provide the justifications of the relations in the full version of this pa- 
per [‘/'ll - We briefly discuss the relations shown in Figure 0 here. First, we com- 
ment that, as Figure [Oshows, SINT-PTXT is reasonably strong: it implies INT- 
PTXT but not the stronger notion of INT-CTXT. Also, an integrity notion, 
specifically INT-PTXT, turns out to be necessary for IND-CCVA, a privacy 
notion. 

Being a necessary and sufficient characterization of secure encryption proto- 
col of 0, IND-CCVA is not meant to constitute a complete security measure 
on its own. Rather, it guarantees secrecy only in conjunction with additional 
mechanisms that guarantee uniqueness of messages. Consequently, it may be 
surprising at first glance that IND-CCVA emerges as a notion that is incom- 
parable to both IND-CPA and IND-CCA. In particular, IND-CCVA does not 
imply even a weak notion of privacy such as IND-CPA. Moreover, the proof of 
this relation can be easily extended to show that a channel protocol does not 
provide the stateful variant of semantic security either. (See the full version of 
this paper nq for details.) The unfortunate implication here is that channel 
protocols proven secure as an encryption protocol may in fact leak information. 
This is a rather unexpected result since one would naturally assume that a se- 
cure encryption protocol should protect privacy of transmitted information. On 
the other hand, it is also arguably simply a technical issue that does not arise 
in many cases in practice. As pointed out in j2j, if one can ensure that all mes- 
sages are unique, then one can obtain security. One way to ensure uniqueness of 
messages is to simply prepend unique message IDs to all messages and to ver- 
ify them when ciphertexts are received. In fact, many Internet protocols in use 
today (e.g., SSH, SSL, and TLS) already do so: they include in every packet a 
sequence number maintained internally by the communicating parties |15I11I23| . 
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Abstract. Recently the bilinear pairing such as Weil pairing or Tate 
pairing on elliptic curves and hyperelliptic curves have been found various 
applications in cryptography. Several identity-based (simply ID-based) 
cryptosystems using bilinear pairings of elliptic curves or hyperelliptic 
curves were presented. Blind signature and ring signature are very useful 
to provide the user’s anonymity and the signer’s privacy. They are play- 
ing an important role in building e-commerce. In this paper, we firstly 
propose an ID-based blind signature scheme and an ID-based ring sig- 
nature scheme, both of which are based on the bilinear pairings. Also we 
analyze their security and efficiency. 

Keywords: Blind signature, Ring signature, Bilinear pairings, ID-based 
cryptography, Provably security. 


1 Introduction 

False certification or no certification mechanisms cause problems, which can 
range from a “man-in-the-middle” attack (in order to gain knowledge over con- 
trolled data) to a completely open situation (to gain access to data and re- 
sources). It is important to note that these problems appear with encryption 
or even a secure protocol. If the user is led to connect to a spoofing site where 
appears to be what he wants, he may have a secure connection to a thief who 
will work maliciously. Thus, identity certification or authentication is necessary. 
In public key cryptosystem, each user has two keys, a private key and a pub- 
lic key. The binding between the public key (PK) and the identity (ID) of a 
user is obtained via a digital certificate. However, in a certificate-based system, 
before using the public key of a user, the participant must first verify the cer- 
tificate of the user. As a consequence, this system requires a large amount of 
computing time and storage when the number of users increase rapidly. In 1984 
Shamir EH asked for ID-based encryption and signature schemes to simplify 
key management procedures in certificate-based public key setting. Since then, 
many ID-based encryption schemes and signature schemes HE) EH have been 
proposed. 

Y. Zheng (Ed.): ASIACRYPT 2002, LNCS 2501, pp. 533 45171 2002. 
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The bilinear pairings, namely the Weil pairing and the Tate pairing of al- 
gebraic curves, are important tools for research on algebraic geometry. The 
early applications of the bilinear pairings in cryptography were used to eval- 
uate the discrete logarithm problem. For example, the MOV attack JTS] (using 
Weil pairing) and FR attack 0 (using Tate pairing) reduce the discrete log- 
arithm problem on some elliptic curves or hyperelliptic curves to the discrete 
logarithm problem in a finite field. However, the bilinear pairings have been 
found various applications in cryptography recently 0 0 [H| U5| PZZJ [231] ■ More 
precisely, they can be used to construct ID-based cryptographic schemes. Many 
ID-based cryptographic schemes have been proposed using the bilinear pair- 
ings. Examples are Boneh-Franklin’s ID-based encryption scheme 0, Smart’s 
ID-based authentication key agreement protocol £3], and several ID-based sig- 
natures schemes PUD |20| [23|, etc. The ID-based public key setting can be an 
alternative for certificate-based public key setting, especially when efficient key 
management and moderate security are required. In public key setting, users’ 
anonymity is protected by means of blind signature, while signers’ anonymity 
by group or ring signature. This paper is focused on ID-based blind signature 
and ID-based ring signature schemes. 

The concept of blind signatures was introduced by Chaum 0, which pro- 
vides anonymity of users in applications such as electronic voting and electronic 
payment systems, etc. In contrast to regular signature schemes, a blind signa- 
ture scheme is an interactive two-party protocol between a user and a signer. It 
allows the user to obtain a signature of a message in a way that the signer learns 
neither the message nor the resulting signature. Blind signature plays a central 
role in building anonymous electronic cash. 

Several ID-based signature schemes based on pairings were developed re- 
cently. In this paper, we propose a blind version of ID-based signature schemes. 
ID-based blind signature is attractive since one’s public key is simply his iden- 
tity. For example, if a bank issues electronic cash with ID-based blind signature, 
users and shops do not need to fetch bank’s public key from a database. They 
can verify the electronic cash issued this year only by the following information, 
Name of Country || Name of City || Name of Bank || this year. 

The concept of ring signature was introduced by Rivest, Shamir and Tau- 
man 1221- A ring signature is considered to be a simplified group signature which 
consists of only users without managers. It protects the anonymity of a signer 
since the verifier knows that the signature comes from a member of a ring, 
but doesn’t know exactly who the signer is. There is also no way to revoke the 
anonymity of the signer. Ring signature can support ad hoc subset formation and 
in general does not require special setup. Rivest-Shamir-Tauman’s ring signature 
scheme relies on general public-key setting. 

After giving the formal definitions of ID-based blind signature and ring sig- 
nature, we propose an ID-based blind signature scheme and an ID-based ring 
signature scheme using bilinear pairings, and analyze their security and efficiency. 

Organization of the Paper: The rest of the paper is organized as follows: 
DLP, DDHP, CDHP, GDHP, and bilinear pairing are introduced in Section 0 
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We give the formal definition of an ID-based blind signature scheme and an ID- 
based ring signature in Section 0 Our main ID-based blind signature scheme is 
presented in Section 0 Section 0 gives a security proof of our ID-based blind 
signature scheme. In Sections 0 and Q we present an ID-based ring signature 
scheme and analyze its security and performance, respectively. Section 0 sum- 
marizes this paper and gives open problems. 

2 Basic Concepts on Bilinear Pairings 

Let G be a cyclic group generated by P, whose order is a prime q, and V be a 
cyclic multiplicative group of the same order q. The discrete logarithm problems 
in both G and V are hard. Let e : G x G -> b be a pairing which satisfies the 
following conditions: 

1. Bilinear:e(Pi+P2,<3)=e(Pi,(5)e(P2,(9) and e(P,Qi+Q 2 ) =e(P ,Qi)e(P ,Q 2 ) , 
or e(aP, bQ) = e(P, Q) ab ', 

2. Non-degenerate: There exists P e G and Q £ G such that e(P, Q) ^ 1 ; 

3. Computability: There is an efficient algorithm to compute e(P, Q) for all 

P, QeG. 

We note that the Weil and Tate pairings associated with supersingular elliptic 
curves or abelian varieties can be modified to create such bilinear maps. 

Suppose that G is an additive group. Now we describe four mathematical 
problems. 

— Discrete Logarithm Problem (DLP): Given two group elements P and 

Q, find an integer n, such that Q = nP whenever such an integer exists. 
Decision Diffie-Hellman Problem (DDHP): For a,b,c £ Z*, given 
P, oP, bP, cP decide whether c = ab mod q. 

— Computational Diffie-Hellman Problem (CDHP): For a,b £ Z*. given 
P, aP, bP, compute abP. 

— Gap Diffie-Hellman Problem (GDHP): A class of problems where 
DDHP is easy while CDHP is hard. 

We assume through this paper that CDHP and DLP are intractable, which 
means there is no polynomial time algorithm to solve CDHP or DLP with non- 
negligible probability. When the DDHP is easy but the CDHP is hard on the 
group G, we call G a Gap Diffie-Hellman ( GDH) group. Such groups can be found 
on supersingular elliptic curves or hyperelliptic curves over finite field, and the 
bilinear parings can be derived from the Weil or Tate pairing e : G x G — > V. 
Our schemes of this paper can be built on any GDH group. 

3 Model 

In this section, we give the formal definitions of ID-based blind signature scheme 
and ID-based ring signature scheme. 
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An ID-based blind signature scheme is considered be the combination of a 
general blind signature scheme and an ID-based one, i.e., it is a blind signature, 
but its public key for verification is just the signer’s identity. 

Definition 1 (ID-Based Blind Digital Signature). An ID-based, blind sig- 
nature scheme ( simply IDBSS) consists of six-tuple (Trust Authority (or TA), 
Setup, User, Extract, Signer, Verification), where 

1. TA is a trustee which can issue a tamper-resistant equipment to transfer 
secret information to users. It executes two operations: System setup and 
User’s private key generation. 

2. Setup is a probabilistic polynomial algorithm that takes a security parameter 
k, and returns params ( system parameters ) and master-key. 

3. Extract is a probabilistic polynomial algorithm that takes as input params, 
master-key and an arbitrary ID £ {0, 1}*, and returns a private key Sid- 
Here ID is a signer’s identity and works as the signer’s public key. 

4- Signer and User are a pair of probabilistic interactive Turing machines, 
where both machines have the following tapes: a read-only input tape, a write- 
only output tape, a read/write working tape, a read-only random tape, and 
two communication tapes. Signer is given on its input tape (ID, Sid). User 
is given on its input tape (ID,m), where m is a message. The length of all 
input must be polynomial in k. Signer and User engage in the signature 
issuing protocol and stop in polynomial-time. At the end of this protocol, 
Signer outputs either completed or not- completed, and User outputs either 
fail or the signature a(m) of the message to. 

5. Verification is a probabilistic polynomial-time algorithm that takes 
(. ID,m,a(m )) and outputs either accept or reject. 

The security of an ID-based blind signature scheme consists of two require- 
ments: the blindness property and the non-forgeability of additional signatures. 
We say the blind signature scheme is secure if it satisfies two requirements. 

Like (2j and m, we give a formal definition of the blindness of ID-based 
blind signature scheme. 

Definition 2 (Blindness). Let A be the Signer or a probabilistic polynomial- 
time algorithm that controls the Signer. A is involved in the following game with 
two honest users, namely Uq and U\. 

1. (ID, S ID ) <— Extract (params, ID). 

2. (mo, mi) «— A(ID, Sid) (A produces two documents). 

3. Select b £r ( 0 , 1 } (i.e., b is a random bit which is kept secret from A). Put 
mb and m\-b to the read-only input tape ofUo and U\, respectively. 

f. A engages in the signature issuing protocol with Uq and U\ in arbitrary order. 

5. IfUo andU\ output ct(to(,) and cr(mi_&), respectively, on their private tapes, 
then give those outputs to A. Otherwise, give 1 to A. 

6. A outputs a bit b' e {0,1}. 

If b' = b, A knows the message and its corresponding signature of each user. In 
this case, we say A wins. 
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An ID-based signature is blind if, for all probabilistic polynomial-time algo- 
rithm A, A wins in the following experiment with probability at most 1/2 + 1 /k c 
for sufficiently large k and some constant c. The probability is taken over the 
coin flips of Extract, two users, Uq and U\, and A. 

The ID-based ring signature can be viewed as the combination of a ring 
signature and an ID-based signature. 

Definition 3 (ID-Based Ring Digital Signature). An ID-based ring signa- 
ture scheme ( simply IDRSS) consists of four-tuple, namely (Setup, Extract, 
Signing, Verification). Three parties are involved in the scheme: a Signer, 
a User and a TA ( Like IDBSS, TA is a trustee, it executes two operations: 
System setup and User’s private key generation). 

1. Setup is a probabilistic polynomial algorithm, run by TA, that takes a secu- 
rity parameter k and returns params (system parameters) and master-key. 

2. Extract is a probabilistic polynomial algorithm, run by TA, that takes as 
input params, master-key, and an arbitrary ID £ {0,1}*. It returns a 
private key Sid ■ Here ID is the signer’s identity and used as the signer’s 
public key. 

3. Signing is a probabilistic polynomial algorithm that takes params, a private 
key Sid, a list of identities, L, which includes ID corresponding to Sid, and 
a message m. The algorithm outputs a signature a(m) for m. 

4 ■ Verification is a probabilistic polynomial-time algorithm that takes 
(. L,m,a(m )) and outputs either accept or reject. 

We say an ID-based ring signature scheme is secure if it satisfies two require- 
ments, namely, the unconditional ambiguity (i.e., the adversary cannot tell the 
identity of the signer with a probability larger than 1 /r, where r is the cardinal- 
ity of the ring, even assuming that he/she has unlimited computing resources) 
and the non-forgeability of additional signatures. 

4 Our ID-Based Blind Signature Scheme 

In this section, we present an ID-based blind signature scheme from the bilinear 
pairings. Our scheme is similar to Schnorr’s blind signature scheme. 

Let G be a GDH group of prime order q. The bilinear pairing is given as 
e:GxG^V. 

[Setup] 

Let P be a generator of G. Choose a random number s £ Z* and set 
Ppub = sP. Define two cryptographic hash functions H : {0,1}* -+ Z/q and 
Hi : {0,1}* — > G. The system parameters are params={G, q, P, P pu i,, H, H t }, 
and s be the master-key of TA. 
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[Extract] 

Given an identity ID, which implies the public key Qid = H\(ID), the 
algorithm returns the private key Sid = sQm- 

The above two operations, [Setup] and [Extract] are carried out by TA. 
Note that TA can access to the sensitive private key Sid ■ To avoid power abuse 
by TA, n trust authorities with (n. n)-threshold secret sharing scheme can be 
used to escrow the master-key, as suggested in ITT1 . 

[Blind Signature Issuing Protocol] 




Tj_ 

a,bSRZ*, 

Compute 

t ^ s(bQiD T R T aP, Ppub ) 
c = H(jn, t) + b (mod q) 


Signer 

r Sr Z * 

Compute R = rP 


Compute S = cSid + rP pub 


Compute 

S' = S + aP pub 
d = c — b 


Fig. 1 . The blind signature issuing protocol 


Suppose that m is the message to be signed. Let a Sr denote the uniform 
random selection. The protocol is shown in Fig. [lj 

— The signer randomly chooses a number r S Z*, computes R = rP, and sends 
R to the user as a commitment. 

— (Blinding) The user randomly chooses a,b S Z* as blinding factors. He 
computes c = H(m, e(bQiD +R + aP, P pu b )) + b (mod q), and sends c to the 
signer. 

— (Signing) The signer sends back S, where S = cSid + rP pu b ■ 

— (Unblinding) The user computes S' = S + aP pu b and d = c—b. He outputs 
{m, S', c'}. 

Then (S', d) is the blind signature of the message m. 
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[Verification:] 

Accept the signature if and only if 

c' = H(m,e(S',P)e(Qi D ,P pu b)~ c )• 

To produce a blind signature, the Signer only requires to compute three 
scalar multiplications in G, while the User requires three scalar multiplications 
in G, one hash function evaluation and one bilinear pairing computation. The 
verification operation requires one hash function evaluation, two bilinear pairing 
computations and one exponentiation in V. One pairing computation can be 
saved, if a large number of verifications are to be performed for the same identity 
by precomputing e(QiD,P pu b)- Our signature consists of an element in G and 
an element in V. In practice, the size of the element in G (elliptic curve group or 
hyperelliptic curve Jacobians) can be reduced by a factor of 2 with compression 
techniques in H2HX3- 

5 Analysis of the IDBSS 

This section proves the security of our blind signature scheme assuming the 
intractability of CDHP and ideal randomness of hash functions H and Hi . For 
generic parallel attack, we assume the intractability of ROS-problem (22| i.e., 
to find an Overdetermined, Solveable system of linear equations modulo q with 
Random inhomogenities. 

5.1 Correctness 

The verification of the signature is justified by the following equations: 

H(m,e(S',P)e(Q ID ,P pub )- c ') 

= H(m, e(S + aP pu b, P)e(Q ID , P pu b)~ c ') 

= H(m, e(cSiD + rP pu b + aP pu b, P)e(Qi D , P pu b)~ c ) 

= H(m, e(cS ID , P)e(rP pub + aP pub , P)e{Qi D ,P pub )~ c ') 

= H(m,e(Si D ,P) c e((r + a)P pub , P)e(Qi D , P pu b)~ c ) 

= H(m,e(Q ID ,P pu b) c e((r + a)P, P pu b)e(Qi D , P pub )~ c ) 

= H(m, e(Q ID ,P pub y- c 'e(R + aP, P pub )) 

= H{m, e(Q ID ,P pub ) b e(R + aP, P pub )) 

= H(m, e{bQ ID + R + aP , P pu b )) 

= H(m , t) = c—b = c 1 


5.2 Security Proofs 

On the blindness of our ID-based blind signature scheme, we can state the fol- 
lowing theorem: 
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Theorem 1. The proposed scheme is blind. 

Proof. We consider the experiment in Definition [2 Let A be the Signer or 
a probabilistic polynomial-time algorithm that controls the Signer and has 
(ID, Sid) from Extract (params, ID). 

If A gets _L, it is easy to see that A wins the game with probability exactly 
the same as a random guessing of b, i.e., with probability 1/2. 

Suppose that A gets a(m b ) and a(mi_ b ), instead of _L. For i = 0,1, let 
Ri,Ci,Si be the data exchanged during the signature issuing protocol, and (S' 0 , c' 0 ) 
and (S/.c'j) are given to A. Then it is sufficient to show that there exist two 
random factors (a, b) that map Ri,Ci,Si to S' , c) for each i,j G {0,1} (here 
a e G ). We can define a := Sj — Si, b := —d- — (—cf). As 

e(Ri, Ppub) = e(Si — CiSiD, P) = e(Si, P)e(—CiQiD, P pu b ), 


we have: 

c' = H(m, e(3j, P)e(Q ID , P pub )~ c i) 

= H(m, e(Si + a, P)e(Q ID ,P pub ) b - Ci ) 

= H(m,e(ciQi D + Ri, P pu b)e(a, P)e(Qi D , P pu b) b ~ Ci ) 

= H(m, e(Ri, P pub )e(a, P)e(Q ID , P pub ) b ) 

Thus the blinding factors always exist which lead to the same relation de- 
fined in the signature issuing protocol. Therefore, even an infinitely powerful A 
succeeds in determining b with probability } . 

Taking two cases into account, the probability that A wins is \ . Therefore, 
the proposed scheme is blind. □ 

Next, we discuss the non-forgeability of the proposed ID-based blind signa- 
ture scheme. Let A be the adversary who controls User. We consider three cases. 

Case 1: Non-interaction with Signer 

If A successful produces a valid message-signature pairing (m, cr(m)) with a 
non-negligible probability T], then we will show that using A, we can construct 
a simulater M to solve the CDHP with the non-negligible probability q. 

Let qn be the maximum number of queries asked from A to H, it is limited 
by a polynomial in k. We assume that all queries are different. Let (G, V, q, e(, ), 
P, Ppub, Qid) be the problem that we want to solve: to find Sid € G from 
c(Qid, P P ub) = z(Sid,P )• A4 simulates as follows: 

— Select I Er {1, • • • , te}. 

— Let A simulates H as follows: For i— th query to H, if i = I, then ask H for 

the answer. Otherwise, randomly select and output an element from Z q . 

— Randomly input a number r G Z q , send R = rP to A. 

— A outputs a signature (mi,S',d). 
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We denote by r] the success probability of M., which is non- negligible. 

Now we use M to get Sid from e(QiD,P pu b ) = e(Si D ,P). We run M. with 
a random tape (be., with random input ( a,b,r ) and a random choice of H. A4 
then outputs a valid signature (S ^ , 4) after trying l/r\ times. We rewind M. with 
the same random tape and run it with a different choice of H. After at most 2/r; 
times, we can get another valid signature (S 2 ,d 2 ). Then we have 

S[-S' 2 = Cj Sid ~ 4 S, Di 

Because c\ and d 2 are different choices of H, be., c\ 4 d 2 , we can get Sm = 
((4— 4) -1 mod If Ppub = sP, Qid = Hi(ID) = tP, then Sid = stP, 

be., we solved CDHP. 

Since we assume that the CDHP is intractable, the success probability of the 
forgery in this case is negligible. 

Case 2: Non-fixed ID Forgery 

We assume that Extract is a random oracle, and allow an adversary A to 
query it. A executes the following experiment: 

1. (ID, Sid) Extract (params, ID). 

2. A queries Extract q E (q E > 0) times with (PARAMS, IDi 4 ID) for i = 
1 , ■ ■ ■ , Qe- Extract returns to A the q E corresponding secret key Si n t ■ We 
assume that q E is limited by a polynomial in k. 

3. A produces q E signatures with the help of (ID,. Sid,)- 

4. A outputs a signature (m,a(m)). 

Since H and H\ are random oracles, both Extract and the blind signature 
issuing protocol between User and Signer generate random numbers with uni- 
form distributions. This means that A learns nothing from query results. Case 
2 can be reduced to Case 1 , so we claim that, under the argument that all hash 
functions are random oracles and that the CDHP is intractable, the successful 
probability of the non-fixed ID attack on the proposed scheme is negligible. 

Case 3: Fixed ID Generic Parallel Attack 

In j23|, Schnorr proposed a new attack, called generic parallel attack, on 
Schnorr’s blind signature scheme. This attack also applies to our blind scheme. 
In the following, we prove that our scheme is secure against the generic parallel 
attack under the assumption of the intractability of the ROS-problem. 

We first describe how A uses the generic parallel attack to forge l + 1 valid 
ID-based blind signatures in our scheme. Let qu be the maximum number of 
queries of H from A. 

1. The signer sends commitments R\ = riP, J ?2 = 'O P, ■ ■ ■ , Ri = riP. 

2. A selects randomly a^,i, <Zfc, 2 j • • • , Ofc,; G Z q and messages mi, m 2 , • • ■ , m t . He 
computes fk = e(^ =1 ak,iRi, P pu b ) and H(rrik, fk ) for k = 1, 2, • • • , t. Here 
t < q H . 
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3. A solves l + 1 of t Eqs. © in the unknowns C2, • • • , q over Z q : 

H{m k Jk) =^2 a k,j°j for k = 1, 2, • • • ,£. (1) 

4. A sends the solutions c±, 03, • • • , q as challenge to the signer. 

5. The signer sends back S r = CiS ID + ViP pu b for i = 1, 2, • • • , l. 

6. For each solved Eq. (HJ. -4 gets a valid signature (rn k , S' k . c' k ) by setting 

i 

4 : = J2 a k,j°j = H(m k ,fk) 


and 

i 

S'k := YayS,. 

7. A outputs l + 1 signatures (m k , S k , d k ) for k = 1, 2, •••,!•# 1. 

It is easy to see that the forged signature is valid. According to Eq. Q , we 
have: 


e (S' k ,P)e(Qin,P P u b )- c * = e 5> fc;i S,,P] e(Q ID ,P pub ) 


= e ^ a.kj(c : jS[ D + rjP pu b),P J e(Q ID , P pu b) Ch 

= e {Si D , P)^-o =1 e Q’kjfjPpub, P ^ e(Q ID , Ppub)~' 

( i \ 

= ^ I ^ ^ a kjRj ) Ppub I = fk 


and 

H(m k) e(S' k ,P)e(Q ID ,P pub )-<) = c' k 

The essence of the above attack is to solve the so-called ROS-problem, which 
is shown below. 


ROS-ProblempIj : Find an overdetermined, solveable system of linear equa- 
tions modulo q with random inhomogenities. More precisely, given an oracle 
random function F : Z l q — >• Z q , find coefficients a k ,i G Z q and a solvable system 
of l + 1 distinct equations of Eq. fl2J) in the unknowns c\, Ca, • ■ • , q over Z q : 


afe.ici + ’• • + a kt ici = F(a kjl , ■ ■ ■ ,a k j) for fc= 1,2, 


(2) 
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The security against the generic parallel attack to our ID-based blind signa- 
ture scheme depends on the difficulty of ROS-problem. As Schnorr states that the 
intractability of the ROS-problem is “a palausible but novel complexity assump- 
tion”. At Crypto2002, D. Wagner EU claimed that he can break ROS-problem 
with subexponential time. To be resistant against this new attack, q may need 
to be at least 1600 bits long. 

Remark: The most powerful attack on blind signature is the one-more signature 
forgery introduced by Pointcheval and Stern in m They suggested two kinds 
of attacks: the sequential attack and the parallel attack. But at the moment we 
believe that their method can’t be applied to our scheme, since multiple key 
components involve their blind signature scheme, while only one single private 
key is engaged in our scheme. Schnorr m proved that the security against 
the one-more signature forgery of his blind signature scheme depends on the 
difficulty of ROS-problem. However, our ID-based blind signature scheme seems 
difficult to prove that the security against the sequential one-more signature 
forgery depends on the difficulty of ROS-problem. We remain an open problem 
to find a formal proof against the sequential one-more signature forgery on our 
scheme. 

6 Our ID-Based Ring Signature Scheme 

The concept of ring signature has recently been formalized by Rivest et al. in 
E2|. A ring signature allows a member of an ad hoc collection of users U to prove 
that a message is authenticated by a member U. It is very useful in anonymity 
protection. Naor [l?5] combined the deniable authentication and Rivest et al.'s 
ring signature and proposed Deniable Ring Authentication. 

The first ring signature scheme is based on RSA cryptosystem and the general 
certificate-based public key setting. The first ring signature scheme based on 
DLP was proposed by M. Abe, M. Ohkubo, and K. Suzuki in [I] recently, and 
their scheme is based on the general certificate-based public key setting too. In 
this section, we present an ID-based ring signature scheme using pairings. 

Let G be a GDH group of prime order q. The bilinear pairing is e : G x G — > V. 

[Setup] 

The system setup is the same as IDBSS. The system parameters params= 
{G, q, P, Ppub, H, H{\. The master key of TA is s. 

[Extract] 

Given an identity ID, the algorithm outputs Sid = sHi(ID) as the private 
key associated with ID. The public key is given by Qid = H\(ID). 

Let IDi be a user’s identity, and Si d, be the private key associated with 
IDi for i = 1, 2, • ■ ■ , n. Let L = {ID,} be the set of identities. The real signer’s 
identity IDk is listed in L. 
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[Signing] 

— (Initialization): Choose randomly an element A £ G, compute c k+ 1 = H(L || 
m || e(A, P)). 

- (Generate forward ring sequence): For i = k + l, ■ ■ ■ ,n — 1, 0, 1, - - - , fe — 1 
(i.e., the value of i all modulo n), choose randomly T| G G and compute 
Ci+i = H(L || to || e(T i ,P)e(c i H 1 (ID i ),P pub )). 

— (Forming the ring): Compute T k = A — c k SiD k - 

- (Output the ring signature): Select 0 (i.e., n) as the glue value, the resulting 
signature for m and L is the (n + l)-tuple: (co, T 0 , T), • • • , T„_i). 

[Verification] 

Given (cq, T 0 , Ti, • • • , T„_i), m, and L, compute 
c i+ i = H(L || to || e(T u P)e(c i H 1 (ID i ), P pub )) for i = 0, 1, • • ■ , n - 1. 
Accept if c n = co, and reject otherwise. 

7 Analysis of the IDRSS 

7.1 Correctness 

From the procedure of ring signature generation, we have: 

c k+1 = H(L || to || e(A,P)) 

Cfc+2 = H(L || to || e(T k+ i, P)e(ck+iHi(IDk+i), Ppub)) 


c n = H(L || to || e(T n _ 1 ,P)e(c n . 1 H 1 (ID n _ 1 ),P pub )) 

= Co 

Cl = H(L || TO || e(T 0 ,P)e{c 0 H 1 {ID 0 ),P pub )) 
c 2 = H(L || to || e(T 1 ,P)e(c 1 H 1 (ID 1 ),P pub )) 


c k = H(L || to || e(T k _ 1 ,P)e(c k -iH 1 (ID k _ 1 ),P pub )) 

Since T k = A — c k SiD k , in the procedure of ring signature verification, we 
have: 


c fe+1 = H(L || to || e(T k ,P)e(c k H 1 (ID i ),P pub )) 

= H(L || to || e(A-c k S IDk ,P)e(c k H 1 (ID i ),P pub )) 

= H(L || to || e(A,P)e(-c k S IDk ,P)e(c k H 1 (ID i ),P pub )) 


= H(L || to || e(A, P)e(~c k U 1 (ID,) +,c fc ffi (ID t ),P pub )) 
= H(L || to || e(A, P)) 


The sequence {c*} (i = 0, 1, ■■■ ,n— 1) in the ring signature verification 
procedure is the same as the ring signature generation procedure, so we have 

C n = Cq. 
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7.2 Security 

Our ID-based ring scheme holds unconditionally signer-ambiguity, because all T) 
but T k are taken randomly from G. In fact, at the starting point, the T k is also 
distributed uniformly over G, since A is randomly chosen from G. Therefore, for 
fixed L and m, (To, ■ ■ ■ , T„_i) has | G |" solutions, all of which can be chosen 
by the signature generation procedure with equal probability, regardless of the 
signer. 

When n = 1, our ID-based ring signature reduces to the ID-based signature 
scheme proposed by F. Hess [TT] (Let Pi = P pub in Hess scheme). Hess’s ID-based 
signature scheme is non-forgeability under the assumption of the intractability 
of the CDHP and all hash functions are random oracles. 

For n > 1, we fix a set of identities, denoted by L. Suppose that A’s identity 
ID a is not listed in L, but he wants to forge a valid ring signature. A can either 
forge a valid signature of a user whose identity ID k is listed in L (this is the 
same as the case of n = 1), or executes the following experiment: 

51 A queries Extract q E (qe > 0) times with (PARAMS, ID, ^ L) for i = 
1, • • • , q E . Extract returns to A the q E corresponding secret key S IDi . 

52 Choose randomly an integer Cq 6 Z q . 

53 Do the same as “generate forward ring sequence” of [Signing] for i = 
0, 1, • • • ,n — 2, where n=\ L\. 

54 Assign c 0 to H(L || m || e(T n _ 1 ,P)e(c n _ 1 H 1 (ID n _ 1 ),P pub )). 

55 Output the ring signature: (co, T 0 , Ti, ■ ■ ■ , T„-i). 

If A finishes above SI and get a (ID^Suj^), such that H k (ID[) = Hi (IDj). 
IDj £ L, then he can forge a valid ring signature. But since Hi is random 
oracle, Extract generates random numbers with uniform distributions. This 
means that A learns nothing from query results. Since H is acted as a random 
oracle too and all T, are taken randomly from G, the probability of Co = H(L || 
m || e(T„_i, P)e(c n -iHi(ID n _i), P pub )) is 1/q. So we say that the proposed 
ID-based ring signature scheme is non-forgeable. 

7.3 Efficiency 

Our ring signature scheme can be performed with supersingular elliptic curves or 
hyperelliptic curves. The essential operation in our ID-based signature schemes 
is to compute a bilinear pairing. Due to [3J and m, the computation of a bilinear 
pairing becomes efficient. Furthermore, the length of signature can be reduced 
by a factor of 2 using compression technique. 

Since our scheme is based on identity rather than an arbitrary number, a 
public key consists of some aspects of a user’s information which may uniquely 
identify himself, such as email address. In some applications, the lengths of public 
keys and signatures can be reduced. For instance, in an electronic voting or an 
electronic auction system, the registration manager (RM) can play the role of 
TA in an ID-based cryptosystem. In the registration phase, RM gives a bidder 
or a voter his registration number as his public key ={(The name of the e-voting 
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or e-auction system || RM || Date || Number), n }. Here n is the number of all 
bidders or voters. 

8 Summary and Open Problems 

The ID-based public key setting can be an alternative for certificate-based public 
key setting, when efficient key management and moderate security are required 
in particular. In this paper, we proposed an ID-based blind signature scheme 
and ID-based ring signature scheme using the bilinear pairing. We also analyzed 
their security and efficiency. Our ID-based blind signature scheme and ID-based 
ring signature scheme can be easily combined to design electronic voting scheme 
or electronic cash scheme. 

The security of our ID-based blind signature scheme against the generic 
parallel attack to depends on the difficulty of ROS-problem. At Crypto2002, D. 
Wagner |2S] claimed that he can break ROS-problem with subexponential time. 
To be resistant against this new attack, q may need to be at least 1600 bits long. 
Our ID-based blind signature scheme maybe not so efficient in implementation. 
To improve our ID-based blind signature scheme against the generic parallel 
attack remains as an open problem. On the security against the sequential one- 
more signature forgery of our ID-based blind signature scheme, we expect to find 
a formal proof under standard assumptions. 
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Abstract. We present hierarchical identity-based encryption schemes 
and signature schemes that have total collusion resistance on an arbitrary 
number of levels and that have chosen ciphertext security in the random 
oracle model assuming the difficulty of the Bilinear Diffie-Hellman prob- 
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1 Introduction 

Our main result is an efficient construction for accomplishing hierarchical identi- 
ty-based encryption while retaining total collusion resistance (in the random ora- 
cle model). Prior to this paper, the only method known for making identity-based 
encryption hierarchical substantially sacrificed security (collusion resistance) or 
efficiency. 


1.1 Identity-Based Encryption 

In traditional public key encryption, Bob’s public key is a random string unre- 
lated to his identity. When Alice wants to send a message to Bob, she must first 
obtain Bob’s authenticated public key. Typical solutions to this problem involve 
public key directories. The main idea in identity-based encryption is to eliminate 
the public key distribution problem by making Bob’s public key derivable from 
some known aspect of his identity, such as his email address. When Alice wants 
to send a message to Bob, she merely derives Bob’s public key directly from his 
identifying information. Public key directories are unnecessary. 

Shamir m proposed the idea of identity-based cryptography in 1984, and 
described an identity-based signature scheme in the same article. However, prac- 
tical identity-based encryption (IBE) schemes were not found until recently with 
the work of Boneh and Franklin |5l(i| and Cocks 0 in 2001. Cocks ’s scheme is 
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based on the Quadratic Residuosity Problem, and although encryption and de- 
cryption are reasonably fast (about the speed of RSA), there is significant mes- 
sage expansion, i.e., the bit-length of the ciphertext is many times the bit-length 
of the plaintext. The Boneh-Franklin scheme bases its security on the Bilinear 
Difhe-Hellman Problem, and is quite fast and efficient when using Weil or Tate 
pairings on supersingular elliptic curves or abelian varieties. 

We must note that ID-based encryption has some disadvantages. Bob receives 
his private key from a third party called a Private Key Generator (PKG) that 
computes his private key as a function of its master secret and Bob’s identity. 
This requires Bob to authenticate himself to the PKG (in the same way he would 
authenticate himself to a CA), and requires a secure channel through which 
the PKG may send Bob his private key. Bob’s PKG must publish parameters 
that embed its master secret, and Alice must obtain these parameters before 
sending an encrypted message to Bob. Another disadvantage is that the PKG 
knows Bob’s private key, i.e., key escrow is inherent in ID-based systems. Clearly, 
escrow is a serious problem for some applications. 

However, the advantages of identity-based encryption are compelling. The 
problem of obtaining authentic public keys has been replaced by the problem 
of obtaining authentic public parameters of PKGs, but the latter should be 
less burdensome since there will be substantially fewer PKGs than total users. 
For example, if everyone uses a single PKG, then everyone in the system can 
communicate securely without ever having to perform online lookup of public 
keys or public parameters. 

1.2 Motivation for Hierarchical ID-Based Encryption (HIDE) 

Although having a single PKG would completely eliminate online lookup, it 
is undesirable for a large network because the PKG becomes a bottleneck. Not 
only is private key generation computationally expensive, but also the PKG must 
verify proofs of identity and must establish secure channels to transmit private 
keys. Hierarchical ID-based encryption (HIDE) allows a root PKG to distribute 
the workload by delegating private key generation and identity authentication 
to lower-level PKGs. In a HIDE scheme, a root PKG need only generate private 
keys for domain-level PKGs, who in turn generate private keys for users in their 
domains in the next level. Authentication and private key transmission can be 
done locally. To encrypt a message to Bob, Alice need only obtain the public 
parameters of Bob’s root PKG (and Bob’s identifying information); there are 
no “lower-level parameters.” Another advantage of HIDE schemes is damage 
control: disclosure of a domain PKG’s secret does not compromise the secrets of 
higher-level PKGs. The schemes of Cocks and Boneh-Franklin do not have these 
properties. 

A hierarchical ID-based key sharing scheme with partial collusion-resistance 
is given in [1(1 1 Ij . Horwitz and Lynn [1 '2') introduced hierarchical identity-based 
encryption, and proposed a 2-level HIDE scheme with total collusion-resistance 
at the first level and with partial collusion-resistance at the second level, i.e., (a 
threshold number of) users can collude to obtain the secret of their domain PKG 
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(and thereafter masquerade as the domain PKG) . This scheme may be practical 
for applications where collusion below the first level is not a concern. Finding a 
secure and practical hierarchical identity-based encryption scheme was, prior to 
this paper, an important open question. 

1.3 Our Results 

The scheme in this paper extends the Boneh-Franklin IBE scheme in a natural 
way. It is a practical, fully scalable, HIDE scheme with total collusion resistance 
and chosen ciphertext security in the random oracle model, regardless of the 
number of levels in the hierarchy, assuming the difficulty of the same Bilinear 
DifRe-Hellman (BDH) problem given in jS] (see Section El below). The scheme is 
quite efficient - the bit-length of the ciphertext and the complexity of decryption 
grow only linearly with the level of the message recipient Q For example, if Bob 
is at level 1 (just below the root PKG) and Carol is at level 10, Alice’s ciphertext 
to Carol will be about 10 times as long as Alice’s ciphertext to Bob, and Carol 
will take about 10 times as long as Bob to decrypt the message from Alice. At 
the top level, our HIDE scheme is as fast and efficient as Boneh-Franklin. We 
show how the scheme can be modified to reduce ciphertext expansion. 

The intuitively surprising aspect of this scheme is that, even though lower- 
level PKGs generate additional random information, this does not necessitate 
adding public parameters below the root level. Also, the random information 
generated by a lower-level PKG does not adversely affect the ability of users not 
under the lower-level PKG to send encrypted communications to users under 
the lower-level PKG. 

A hierarchical ID-based signature (HIDS) scheme follows naturally from our 
HIDE scheme (see Section 0 • We also introduce the concept of dual-ID-based 
encryption (where the ciphertext is a function of both the encrypter and de- 
crypter’s identities) and show how this concept, in the context of hierarchical 
ID-based encryption, allows the length of the ciphertext to be reduced and per- 
mits the creation of “escrow shelters” that limit the scope of key escrow. 

The rest of the paper is organized as follows. Definitions and background 
information are given in Section El Our hierarchical ID-based encryption scheme 
is presented in Section 01 An associated hierarchical ID-based signature scheme 
is given in Section 0] Section El gives modifications to minimize the ciphertext 
expansion. SectionEJdiscusses how to the restrict the scope of key escrow. Section 
□ gives security definitions and results (the full version will contain the proofs). 
Additional extensions and variations are given in Section 0 

2 Definitions 

In this section, we give some definitions similar to those given in [516112] . 


1 Contrast this with [1 2| . where the complexity of encryption grows linearly with the 
security against collusion of a domain PKG’s secret. Our scheme has total collusion 
resistance assuming the difficulty of BDH. 
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ID-Tuple: A user has a position in the hierarchy, defined by its tuple of IDs: 
(IDi, . . . , ID t ). The user’s ancestors in the hierarchy tree are the root PKG and 
the users/lower-level PKGs whose ID-tuples are {(IDi, . . . , ID*) : 1 < i < t}. 

Hierarchical Identity-Based Encryption (HIDE): a HIDE scheme is spec- 
ified by five randomized algorithms: Root Setup, Lower-level Setup, Extraction, 
Encryption, and Decryption: 

Root Setup: The root PKG takes a security parameter K and returns params 
(system parameters) and a root secret. The system parameters include a descrip- 
tion of the message space M. and the ciphertext space C. The system parameters 
will be publicly available, while only the root PKG will know the root secret. 

Lower-Level Setup: Lower-level users must obtain the system parameters of 
the root PKG. In HIDE schemes, a lower-level user is not permitted to have any 
“lower-level parameters” of its own. However, this constraint does not necessar- 
ily preclude a lower-level PKG from generating its own lower-level secret, which 
it may use in issuing private keys to its children. In fact, in our HIDE scheme, 
a lower-level PKG may generate a lower-level secret, or it may generate random 
one-time secrets for each Extraction. 

Extraction: A PKG (whether the root one or a lower-level one) with ID-tuple 
(IDi, . . . , IDj) may compute a private key for any of its children (e.g., with ID- 
tuple (IDi, . . . , ID t , ID t+ i)) by using the system parameters and its private key 
(and any other secret information). 

Encryption: A sender inputs params, M £ M. and the ID-tuple of the intended 
message recipient, and computes a ciphertext C £ C. 

Decryption: A user inputs params, C £ C, and its private key d, and returns 
the message M £ M. 

Encryption and decryption must satisfy the standard consistency constraint, 
namely when d is the private key generated by the Extraction algorithm for 
ID-tuple, then: 


VM £ M. : Decryption (params, d,C) = M 
where C = Encryption (params, ID-tuple, M). 

Hierarchical ID-Based Signature (HIDS): a HIDS scheme is specified by 
five randomized algorithms: Root Setup, Lower-level Setup, Extraction, Signing, 
and Verification. For Root Setup, the system parameters are supplemented to 
include a description of the signature space S. Lower-level Setup and Extraction 
are as above. 
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Signing: A signer inputs params, its private key d, and M £ A4 and outputs a 
signature S £ S. 

Verification: A user inputs params, the ID-tuple of the signer, M £ M., and 
S £ S and outputs “valid” or “invalid.” 

Signing and verification must also satisfy a consistency constraint, namely when 
d is the private key generated by the Extraction algorithm for ID-tuple, then: 

VM £ M : Verification (params, ID-tuple, M, S) = “valid” 

where S = Signing (params, d, M). 

The security of our HIDE scheme is based on the difficulty of the Bilinear 
Diffi e-Hellman (BDH) Problem. Let Gi and G 2 be two cyclic groups of some 
large prime order q. We write Gi additively and G 2 multiplicatively. Our HIDE 
scheme makes use of a “bilinear” pairing. 

Admissible Pairings: We will call e an admissible pairing if e : Gi x Gi — > G 2 
is a map with the following properties: 

1. Bilinear: e(aQ, bR ) = e(Q, R) ah for all Q,R£ Gi and all a, b £ Z. 

2. Non-degenerate: The map does not send all pairs in Gi X Gi to the identity 
in G 2 . 

3. Computable: There is an efficient algorithm to compute e(Q, R) for any 
Q,R £ Gi. 

We will also need the mapping e to be symmetric, i.e., e(Q, R) = e(R,Q) 
for all Q,R £ Gi, but this follows immediately from the bilinearity property 
and the fact that Gi is a cyclic group. We note that the Weil and Tate pairings 
associated with supersingular elliptic curves or abelian varieties can be modified 
to create such bilinear maps, as in I13I5I7I : see also 114121 . 

BDH Parameter Generator: As in [5|, we say that a randomized algorithm 
IQ is a BDH parameter generator if IQ takes a security parameter K > 0, 
runs in time polynomial in K, and outputs the description of two groups Gi 
and G 2 of the same prime order q and the description of an admissible pairing 
e : Gi x Gi — >■ G 2 . 

Bilinear Diffie-Hellman (BDH) Problem: Given a randomly chosen P £ 
Gi, as well as aP, bP, and cP (for unknown randomly chosen a,b,c £ Z/gZ), 
compute e(P, P) obc . 

For the BDH problem to be hard, Gi and G 2 must be chosen so that there is 
no known algorithm for efficiently solving the Diffie-Hellman problem in either 
Gi or G 2 . Note that if the BDH problem is hard for a pairing e, then it follows 
that e is non-degenerate. 
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Bilinear Diffie- Heilman Assumption: As in |5], if IQ is a BDH parameter 
generator, the advantage Advxg (B) that an algorithm B has in solving the BDH 
problem is defined to be the probability that the algorithm B outputs e(P, P) abc 
on inputs Gi, G 2 , e, P, aP, bP, cP, where (Gi, G 2 , e) is the output of IQ for suf- 
ficiently large security parameter K, P is a random generator of Gi, and a, b, c 
are random elements of Z/gZ. The Bilinear Diffie-Hellman assumption is that 
Advxg (B) is negligible for all efficient algorithms B. 

3 Hierarchical ID-Based Encryption Schemes 

We describe our scheme in a format similar to that used in 0. We begin by 
describing a basic scheme, and then extend it to a full scheme that is secure 
against adaptive chosen ciphertext attack in the random oracle model, assuming 
the difficulty of the BDH problem. 

We may sometimes refer to elements of Gi as “points,” which may suggest 
that e is a modified Weil or Tate pairing, but we note again that any admissible 
pairing e will work. 

3.1 BasicHIDE 

Let Level; be the set of entities at level i, where Levelo = {Root PKG}. Let K 
be the security parameter given to the setup algorithm, and let IQ be a BDH 
parameter generator. 

Root Setup: The root PKG: 

1. runs IQ on input K to generate groups Gi,G 2 of some prime order q and 
an admissible pairing e: G* x Gi — > G 2 ; 

2. chooses an arbitrary generator P 0 £ G-j : 

3. picks a random so £ Z/gZ and sets Qo = A'o-Po; 

4. chooses cryptographic hash functions Hi : {0, 1}* —> Gi and H 2 : G 2 — > 
{0, 1}" for some n. The security analysis will treat Hi and H 2 as random 
oracles. 

The message space is M. = {0, 1}”. The ciphertext space is C = G* X {0, 1}" 
where t is the level of the recipient. The system parameters are params = 
(Gi,G 2 ,e,Po,Qo,Hi,H 2 ). The root PKG’s secret is so € Z/gZ. 

Lower-Level Setup: Entity E t £ Level t picks a random s t £ Z/gZ, which it keeps 
secret. 

Extraction: Let E t be an entity in Levelt with ID-tuple (IDi, . . . ,ID t ), where 
(IDi, . . . , ID,;) for 1 < i < t is the ID-tuple of E t ’s ancestor at Level;. Set So to 
be the identity element of Gi. Then Et’s parent: 

1. computes P t = Hi(IDi, . . . ,IDf) £ Gi; 

2. sets E t ’s secret point S t to be S t -x + s t -iPt = J2i = 1 s i- 

3. also gives E t the values of Q, = s;Pq for 1 < i < t — 1. 
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Encryption: To encrypt M G M. with the ID-tuple (IDi, . . . . ID*), do the fol- 
lowing: 

1. Compute Pi = f?i(IDi, . . . , ID*) G Gi for 1 < i < t. 

2. Choose a random r G "L/qL. 

3. Set the ciphertext to be: 

C = [rP 0 ,rP 2 , . ■ ■ ,rP t ,M ® H 2 (g r )] where g = e(Q 0 ,Pi) £ <& 2 . 


Decryption: Let C = [Uq. U 2 , . . . ,Ut,V\ £ C be the ciphertext encrypted using 
the ID-tuple (IDi, . . . , ID t ). To decrypt C, E t computes: 


V ® t ^ Uo,St ^ ) = M. 

UUKQi-uW 


This concludes the description of our BasicHIDE scheme. 

Remark 1. Each lower- level PKG - say, in Level* - has a secret s t £ Z/gZ, 
just like the root PKG. A lower-level PKG uses this secret to generate a secret 
point for each of its children, just as the root PKG does. An interesting fact, 
however, is that lower-level PKGs need not always use the same s t for each 
private key extraction. Rather, s t could be generated randomly for each of the 
PKG’s children. 


Remark 2. Hi can be chosen to be an iterated hash function so that, for example, 
Pi may be computed as ffi(Pj_i, ID*) rather than Hi (ID*, . . . , ID*). 


Remark 3. In what follows, we may refer to S t as E t ’s private point, and to 
{Qi ■ 1 < * < t} as E t ’ s Q-values. We say that S[ and {Q* : 1 < i < t} form a 
valid private key for the point-tuple (Pi, . . . , P t ) if S' t = soPi + s(P *+ 1 and 

Q\ = s'P 0 for some (s^, . . . , sj._ x ) G (Z/gZ) t_1 . 

Remark 4- Note that the same g can be used for all descendants of Pi. This 
value can be precomputed. 


3.2 FullHIDE: HIDE with Chosen Ciphertext Security 

In Fujisaki-Okamoto padding 0 is used to convert a basic IBE scheme to 
an IBE scheme that is chosen ciphertext secure in the random oracle model. In 
the same way, BasicHIDE can be converted to FullHIDE, a HIDE scheme that 
is chosen ciphertext secure in the random oracle model. Next we describe the 
scheme FullHIDE. 

Setup: As in the BasicHIDE scheme, but in addition choose hash functions 
H 3 : {0, 1}” X {0, 1}" — > Z/gZ and H 4 : {0, 1}” -S- {0, 1}". 
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Extraction: As in the BasicHIDE scheme. 


Encryption: To encrypt Me M. with the ID-tuple (IDi, . . . . ID t ), do the fol- 
lowing: 

1. compute Pi = JJi(ID 1; . . . , IDj) e Gi for 1 < i < t, 

2. choose a random a e {0, 1}", 

3. set r = H 3 (a,M), and 

4. set the ciphertext to be: 

C = [rP 0 , rP 2 , ... ,rP t ,a © H 2 (g r ),M © H 4 (a)] 
where g = e(Qo, Pi) € G 2 as before. 


Decryption: Let C = [Uq, U 2 . . . . ,U t .V, W] e C be the ciphertext encrypted 
using the ID-tuple (IDi, . . . , ID t ). If (Uo, U 2 , . . . . U t ) £ Gj, reject the ciphertext. 
To decrypt C, E t does the following: 


1. computes 


V®H 2 {- 


e(Uo ,S t ) 


WUKQi-uUi) 


2. computes W © H±(a) = M, 

3. sets r = H 3 (cr , M) and tests that [Uq, U 2 , . . . , U t , V\ is a BasicHIDE encryp- 
tion of M using r and (IDi, . . . , ID t ). If not, it rejects the ciphertext. 

4. outputs M as the decryption of C. 


Note that M is encrypted as W = M © H^a). This can be replaced by 
W = E Hi ^(M) where E is a semantically secure symmetric encryption scheme 
(see Q and Section 4.2 of 0). 


4 Hierarchical ID-Based Signature (HIDS) Schemes 

ID-based encryption, whether hierarchical or not, has a clear advantage over 
PKI; it does not require online public key lookup. On the other hand, it is not 
so clear that ID-based signatures have an advantage over traditional signature 
schemes using PKI. Indeed, any public-key signature scheme may be transformed 
into an ID-based (hierarchical) signature scheme by using (a hierarchy of) cer- 
tificates, since certificates “bind” an identity to a public key. 

The previous comments notwithstanding, we present a Hierarchical ID-based 
Signature (HIDS) scheme based on the difficulty of solving the Diffie-Hellman 
problem in the group Gi. When viewed in isolation, this HIDS scheme is not 
especially useful for the reasons stated above (though it may be more efficient) . 
However, as will be explained later, the HIDS scheme becomes quite useful when 
viewed in combination with the HIDE scheme as a complete package. 
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4.1 A HIDS Scheme 

As noted by Moni Naor (see Section 6 of jOj), an IBE scheme can be immediately 
converted into a public key signature scheme as follows: the signer’s private 
key is the master key in the IBE scheme. The signer’s signature on M is the 
IBE decryption key d corresponding to the “public key” Hi (ID) = Hi(M). 
The verifier checks the signature by choosing a random message M', encrypting 
M' with (M), and trying to decrypt the resulting ciphertext with d. If the 
ciphertext decrypts correctly, the signature is considered valid. 

This observation can be extended to a hierarchical context: a HIDE scheme 
can be immediately converted to a HIDS scheme. Suppose the signer has ID- 
tuple (IDi, . . . ,ID t ). To sign M, the signer computes a private key d for the 
ID-tuple (IDi, . . . ,IDt, M), and sends d to the verifier. As before, the verifier 
checks the signature by choosing a random message M', encrypting M' with the 
“public key” (IDi, . . . ,ID t , M), and trying to decrypt the resulting ciphertext 
with d. The security of this HIDS scheme follows immediately from the security 
of our HIDE scheme, since forging a signer’s signature is equivalent to recovering 
the private key of one of the signer’s children. 

An obvious pitfall in the HIDS scheme just described is that an attacker might 
try to get the signer to sign M = ID t+ i where ID t+ i represents an actual identity. 
In this case, the signer’s signature will actually be a private key, which thereafter 
may be used to decrypt messages and forge signatures. The easy solution to this 
problem is to use some expedient - such as a bit prefix - that distinguishes 
between signing and private key extraction. 

Below we describe our HIDS scheme in more detail. The security of the HIDS 
scheme is based on the difficulty of solving the Diffie-Hellman problem in the 
group Gi (as opposed to HIDE, which requires the BDH problem to be difficult, 
and therefore requires the Diffie-Hellman problem in G 2 to be difficult). 

Let Level, be the set of entities at level i, where Levelo = {Root PKG}. Let 
K be the security parameter given to the setup algorithm, and let IQ be a BDH 
parameter generator. 

Root Setup: The root PKG: 

1. runs IQ on input K to generate groups Gi,G 2 of prime order q and an 
admissible pairing e: Gi x Gi — > G 2 ; 

2. chooses an arbitrary generator Pq e Gi; 

3. picks a random so G Z/gZ and sets Qo = So-Poi 

4. chooses cryptographic hash functions Hi : {0, 1}* — > Gi and H :i : (0, 1}* — > 
Gi. The security analysis will treat Hi and H 3 as random oracles. 

The signature space is S = G{ +1 where t is the level of the signer. The system 
parameters are params = (Gi,G 2 ,e, Pq,Qo, Hi, H 3 ). The root PKG’s secret is 
s 0 6 Z/gZ. 

Lower-Level Setup: As in BasicHIDE. 
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Extraction: As in BasicHIDE. 

Signing: To sign M with ID-tuple (IDi, . . . . ID t ) (using the secret point S t = 
i s i-iPi and the points Qi = s^Pq for 1 < i < t), do the following: 

1. Compute Pm = H 3 (IDi, . . . , ID t . M) G Gi. (As suggested above, we might 
use a bit-prefix or some other method, instead of using a totally different 
hash function.) 

2. Compute Si^ID-tuple, M) = S t + s t PM- 

3. Send Sig (ID-tuple, M) and Q t = SiPo for 1 < i < t. 

Verification: Let [Sig, Qi , . . . , Qt] G <S be the signature for (ID-tuple, M). The 
verifier confirms that: 

e(P 0 , Sig) = e(Q 0 , Pi)e(Qu Pm) KQi- U Pi )• 


5 Shortening the Ciphertext and Signatures 

In the HIDE scheme, the length of the ciphertext is proportional to the depth of 
the recipient in the hierarchy. Similarly, in the hierarchical ID-based signature 
scheme, the length of the signature is proportional to the depth of the signer in 
the hierarchy, unless the verifier already has the signer’s Q- values. This section 
discusses ways in which this ciphertext expansion problem may be avoided. 


5.1 Dual-HIDE: Dual-Identity-Based Encryption 

In 2000, Sakai, Ohgishi and Kasahara m presented a “key sharing scheme” 
based on the Weil pairing. The idea was quite simple: suppose a PKG has a 
master secret s, and it issues private keys to users of the form sP y , where P y = 
Hi(lD y ) and ID, y is the ID of user y(as in Boneh- Franklin). Then users y and 
z have a shared secret that only they (and the PKG) may compute, namely, 
e(sP y , P z ) = e{Py, P z ) s = e(P y , sP z ). They may use this shared secret to encrypt 
their communications. Notice that this key sharing scheme does not require any 
interaction between the parties. We can view Sakai, Ohgishi and Kasahara’s 
discovery as a type of “dual-identity-based encryption,” where the word “dual” 
indicates that the identities of both the sender and the recipient (rather than 
just the recipient) are required as input into the encryption and decryption 
algorithms. The main practical difference between this scheme and the Boneh- 
Franklin IBE scheme is that the sender must obtain its private key from the 
PKG before sending encrypted communications, as opposed to merely obtaining 
the public parameters of the PKG. For other key agreement schemes that could 
be viewed as dual-identity-based see |3nj . 

In the hierarchical context, Dual-HIDE may be more efficient than HIDE 
if the sender and recipient are close to each other in the hierarchy tree. Sup- 
pose two users, y and z, have the ID-tuples (ID yl , . . . , ID, y/ , . . . , ID, /m ) and 
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(ID zl , . . . , ID Z ;, . . . , ID zn ), where 

(IDyi, . . . = (ID z i, . . . ,ID Z ;), 

In other words, user y is in Level m , user z is in Level„, and they share a common 
ancestor in Level;. User y may use Dual-HIDE to encrypt a message to user z 
as follows: 

Encryption: To encrypt M G M, user y: 

1. Computes P zi = Hi(ID z i, . . . , ID zi ) G Gi for l + 1 < i < n. 

2. Chooses a random r G Z/<?Z. 

3. Sets the ciphertext to be: 


C = [rP 0 , rP z(l+1) , . . . , rP zn , M ffl H 2 (g r yl ) } 


where 


e(Po,S y ) 

rii=i+l 


e(Po,S v i) , 


S y is y' s secret point, S y t is the secret point of y's and z's common ancestor 
at level l, and Q y i = s y iPo where s y i is the secret number chosen by y’s 
ancestor at level i. 


Decryption: Let C = [U 0 , . . . , U n . V] be the ciphertext. To decrypt C, user 

z computes: 


V®H 2 (^r 


e(Uo,S z ) 

yAQw-ibUiY 


= M. 


Note that if y and z have a common ancestor below the root PKG, then the 
ciphertext is shorter with Dual-HIDE than with non-dual HIDE. Further, using 
Dual-HIDE, the encrypter y computes m — l + 1 pairings while the decrypter 
z computes n — l + 1 pairings. (Note that m + n — 21 is the “length” of the 
path between y and z in the hierarchy tree.) In the non-dual HIDE scheme, the 
encrypter computes one pairing while the decrypter computes n pairings. Thus 
when m < 21 — 1, the total work is less with Dual-HIDE than with non-dual 
HIDE. The relative computing power of the sender and recipient can also be 
taken into account. In the full paper we will show how to decrease the number of 
pairings that y and 2 must compute to m + n — 21 + 1 if their common ancestor 
in Level; always uses the same s; rather than generating this number randomly 
with each private key extraction. 

Dual-HIDE also makes domain-specific broadcast encryption possible. Sup- 
pose user y wants to encrypt a message to everyone having the same ancestor 
in Level;. Everyone in this common ancestor’s domain may compute the shared 
secret e(Po, S y i), and so this secret may be used as a shared key of everyone in 
this domain. Users outside of this domain, other than the parent of the common 
ancestor, will be unable to compute this pairing. (In Section fb. II we describe how 
to exclude even the parent.) Note that Dual-HIDE broadcast is not fully com- 
patible with the HIDS scheme. If Dual-HIDE broadcast and the HIDS scheme 
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use the same parameters, everyone outside the domain who receives a signature 
from someone in the domain will also be able to compute e(Po, S y i). 

Fujisaki-Okamoto padding turns Dual-HIDE into FullDual-HIDE, a dual- 
identity encryption scheme with adaptive chosen ciphertext security. 

5.2 Dual-HIDS: Dual-Identity-Based Signatures 

Dual hierarchical identity-based signatures (Dual-HIDS) are much easier to ex- 
plain. If users y and z, as above, have a common ancestor in Level;, then y only 
needs to send Q yi for l + 1 < i < to. This makes the length of the signature 
proportional to m — l rather than m. 


5.3 Authenticated Lower-Level Root PKGs 

Suppose that user y often sends mail to people at a certain university - say, 
Cryptography State University (CSU ) - but that CSU is deep in the hierarchy, 
and that y is not close to CSU in the hierarchy. How do we solve the ciphertext 
expansion problem? One solution, of course, is for CSU to set up its own root 
PKG with its own system parameters, unassociated with the “actual” root PKG. 
After y obtains CSU ’s system parameters, its ciphertext to CSU recipients will 
be shorter. However, we would prefer not to have “rogue” root PKGs. 

A better solution is for CSU to set up a root PKG that is “authenticated” 
by the actual root PKG. For this purpose, the actual root PKG may have an 
additional parameter, a random message M' . To set up its authenticated root 
PKG, CSU “signs” M', generating the signature Sig = S t + s t P M ', where S t is 
CSU ’s private point, and s t is its lower-level secret. CSU also publishes Q t for 
1 < i < t. 

Let (IDi, . . . , ID; , . . . , ID„) be the ID-tuple of user z at CSU having point- 
tuple (Pi, . . . , P t , . . . , P v ). Then y may send an encrypted message to z, using 
the parameters for CSU ’s authenticated root PKG, as follows: 


Encryption: To encrypt M £ M, user y: 

1. Computes P* = Pi(IDi, . . . , ID;) £ Gi for t + 1 < * < v. 

2. Chooses a random r £ T,lqL. 

3. Sets the ciphertext to be: 

C = [rP 0 , rP t+ 1 , . . . , rP v , M ® H 2 {g r t )\ 


where 


e(P 0 ,Sig) 

e(s t Po, Pm 1 ) 


e(Po,S t ) • 


Decryption: Let C = [Uq, Ut+ 1 , . . . , U v , V] be the ciphertext. To decrypt C, user 
z computes: 


V®H 2 ( = 


e{Uo,S v ) 


a e(Qi_!, Ui) 


where S v is z’s private key. 
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The number of pairings computed by the decrypter is v — t + 1, one more 
than its depth below CSU , not its depth below the actual root PKG. 

Interestingly, if y obtains any signature from CSU , not necessarily on a par- 
ticular message M', then y may use that signature to shorten its ciphertext in 
the same way. In effect, y’s possession of any signature from CSU allows y to use 
Dual-HIDE as if y’s position in the hierarchy is just below CSU . Thus, y may use 
CSU ’s signature to shorten its ciphertext not only to entities below CSU in the 
hierarchy, but also to any entity that is close to CSU in the hierarchy. In general, 
one could have an “optimized” HIDE scheme in which the sender stores a list 
of HIDS signatures that it has obtained, and, upon each encryption, searches 
through that list (which may be put in lexicographic order) to find the signer 
that is closest in the hierarchy to the intended message recipient, and then uses 
that signer’s signature, in combination with Dual-HIDE, to minimize the length 
of the ciphertext. 

6 Restricting Key Escrow 

In IBE schemes, key escrow is “inherent” because the PKG knows the private 
key of each user. Even in the hierarchical scheme of Horwitz and Lynn, every 
ancestor of a given user in the hierarchy knows that user’s private key. Although 
this key escrow property may be useful in some contexts, it is certainly not 
desirable for all applications. 

In our HIDE scheme, since the private point of a user depends on a secret 
number known only to the parent of that user, no ancestor other than the parent 
may compute the user’s particular private point. However, the user’s ancestors 
can still decrypt the user’s mail; they may simply compute a different (but 
equally effective) private key for the user based on different lower-level Q- values. 
Using these different Q- values, they may also forge the user’s signature. In this 
section, we discuss how Dual-HIDE and/or key agreement protocols can be used 
to restrict this key escrow property. 

6.1 Restricting Key Escrow Using Dual-HIDE 

Consider again users y and z from Section 15 . 1 1 who have a common ancestor in 
Level;. Let’s say their common ancestor is Cryptography State University, and 
suppose that user y uses Dual-HIDE to encrypt its messages to z. As stated 
above, CSU’s parent knows CSU’s private point. From CSU’s perspective, this 
may be an undesirable situation. However, CSU can easily change its private 
point Si by setting Si := Si + bPi and setting Qi-i := Qi-i + bPo for some 
random b 6 Z/gZ. This new private key is just as effective, and is unknown to 
CSU ’s parent. Assuming that CSU uses its new private key to issue private keys 
to its children, none of CSU ’s ancestors will be able to decrypt y’s message to 
z encrypted using Dual-HIDE. More specifically, only ancestors of z that are 
within CSU ’s domain will be able to decrypt. 
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6.2 Authenticated Key Agreement with no Session Key Escrow 

HIDS provides a convenient platform on which key agreement may be authenti- 
cated (see also [T] for authenticated three-party (non-ID based) key agreement 
protocols using pairings). A simple explicit authenticated key agreement protocol 
is as follows: 

1. Alice chooses a random a G Z/qZ and sends aPo and Sign(aPo) to Bob. 

2. Bob chooses a random b £ Z/qZ and sends bPo and Sign(bPo) to Bob. 

3. Alice and Bob verify the received signatures and compute the shared secret: 
abPo- 

Here, there is no session key escrow. However, there is still an attack scenario: 
an ancestor of Alice and an ancestor of Bob could collude to mount a man-in- 
the-middle attack. This attack has an analogue in PKI: CAs could collude in 
a similar way. Dual-HIDE can be used in combination with key agreement to 
minimize the possible scope of such collusion among ancestors. 

Implicit authentication based on Sakai-Ohgishi-Kasahara key agreement can 
be done as follows. Alice and Bob first perform a standard (or elliptic curve) 
Diffie-Hellman exchange, after which Alice thinks the shared Diffie-Hellman 
value is c/a and Bob thinks it is gs- Then Alice computes the shared secret as 
H(gA, Sab ) and Bob computes it as H(gs, Sab), where H is a one-way collision- 
resistant hash function and Sab = <s(Pa, Pb) s = &(Sa, Pb) = &{Sb,Pa ), where 
Pa = H\ (ID a) is Alice’s public point and Sa = sPa is her private point, 
Pb = Pi(IDb) is Bob’s public point and Sb = sPb is Bob’s private point, 
and s is their PKG’s master secret. Unless the man-in-the-middle is the PKG, 
it will not be able to compute Alice’s or Bob’s version of the shared secret, since 
it does not know Sab • However, it can prevent Alice and Bob from computing 
the same shared secret. Alice and Bob will not know that their key agreement 
protocol has been disrupted until, for example, one sends an undecipherable 
message to the other. A passive PKG will not know Alice’s and Bob’s shared 
Diffie-Hellman value, and is therefore unable to compute the session key. 


7 Security 

7.1 Security Definitions 

We first give some definitions that are very similar to those given in [5161 1 2: . 
Their similarity should not be surprising because, at a high level, the security 
issues involved in hierarchical ID-based cryptography are substantially identical 
to those in non-hierarchical ID-based cryptography; we are merely adding new 
levels. 

Chosen-Ciphertext Security: As Boneh and Franklin noted in the context 
of (non-hierarchical) ID-based cryptography, the standard definition of chosen- 
ciphertext security must be strengthened for ID-based systems, since one should 
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assume that an adversary can obtain the private key associated with any iden- 
tity of its choice (other than the particular identity being attacked). The same 
applies to hierarchical ID-based cryptography. Thus, we allow an attacker to 
make “private key extraction queries.” Also, as in 0, we allow the adversary to 
choose the identity on which it wishes to be challenged. 

One subtlety is that an adversary may choose its target identity adaptively 
or nonadaptively. An adversary that chooses its target adaptively will first make 
hash queries and extraction queries, and then choose its target based on the 
results of these queries. Such an adversary might not have a particular target in 
mind when it begins the attack, and its eventual target need not even belong to 
an existing entity. Rather, this adversary is successful if it is able to hack some 
identity to which it is not entitled. A nonadaptive adversary, on the other hand, 
chooses its target independently from results of hash queries and extraction 
queries. For example, such an adversary might target a personal enemy. The ad- 
versary may still make hash and extraction queries, but its target choice is based 
strictly on the target’s identity, not on query results. Obviously, security against 
an adaptively-chosen-target adversary is the stronger, and therefore preferable, 
notion of security. However, we will address both types of security, since our 
security proofs against nonadaptively-chosen-target adversaries are stronger. 

We say that a HIDE scheme is semantically secure against adaptive chosen 
ciphertext and adaptive (resp., nonadaptive) chosen target attack (IND-HID- 
CCA (resp. IND-NHID-CCA)) if no polynomially bounded adversary A has a 
non-negligible advantage against the challenger in the following game. (Note: for 
IND-NHID-CCA, Phase 1 is omitted.) 

Setup: The challenger takes a security parameter K and runs the Root Setup 
algorithm. It gives the adversary the resulting system parameters params. It 
keeps the root key to itself. 

Phase 1: The adversary issues queries qi , . . . , q m where q t is one of: 

1. Public-key query (ID-tuple,;): The challenger rims a hash algorithm on ID- 
tuple* to obtain the public key if (ID-tuple*) corresponding to ID-tuple*. 

2. Extraction query (ID-tuple*): The challenger runs the Extraction algorithm 
to generate the private key d* corresponding to ID-tuple*, and sends d* to 
the adversary. 

3. Decryption query (ID- tuple,, GY): The challenger runs the Extraction algo- 
rithm to generate the private key d* corresponding to ID-tuple*, runs the 
Decryption algorithm to decrypt (7* using d*, and sends the resulting plain- 
text to the adversary. 

These queries may be asked adaptively. Note also that the queried ID-tuple* may 
correspond to a position at any level in the hierarchy. 

Challenge: Once the adversary decides that Phase 1 is over, it outputs two 
equal length plaintexts Mo, Mi £ M. and an ID-tuple on which it wishes to be 
challenged. The only constraints are that neither this ID-tuple nor its ancestors 


Hierarchical ID-Based Cryptography 563 


appear in any private key extraction query in Phase 1. Again, this ID-tuple may 
correspond to a position at any level in the hierarchy. The challenger picks a 
random bit b £ {0, 1} and sets C = Encryption (par arris , ID-tuple, Mb). It sends 
C as a challenge to the adversary. 

Phase 2: The adversary issues more queries q m+ i , . . . , q n where q t is one of: 

1. Public-key query (ID-tuplej): Challenger responds as in Phase 1. 

2. Extraction query (ID-tuplej ^ ID-tuple or ancestor): Challenger responds as 
in Phase 1. 

3. Decryption query ( (ID-tuplej, Cj) ^ (ID-tuple or ancestor, C)): Challenger 
responds as in Phase 1. 

Guess: The adversary outputs a guess b' £ {0, 1}. The adversary wins the game 
if b = b' . We define its advantage in attacking the scheme to be \Pr[b = &'] — ||. 

One Way Identity-Based Encryption: As in |E|, we define one-way encryp- 
tion (OWE) for a public key encryption scheme as follows. The adversary A is 
given a random public key K pu b and a ciphertext C that is the encryption of a 
random message M using K pu b , and outputs a guess for the plaintext. The ad- 
versary is said to have advantage e against the scheme if e is the probability that 
A outputs M. The scheme is said to be a one-way encryption (OWE) scheme if 
no polynomial time adversary has a non-negligible advantage in attacking the 
scheme. 

We say that a HIDE scheme is one-way (HID-OWE or NHID-OWE, depend- 
ing on whether the target is chosen adaptively or not) if no polynomial time 
adversary has a non-negligible advantage against the challenger in the following 
game. (Phase 1 is omitted for NHID-OWE.) 

Setup: The challenger takes a security parameter k and runs the Root Setup 
algorithm. It gives the adversary the resulting system parameters params. It 
keeps the root key to itself. 

Phase 1: The adversary makes public-key and/or extraction queries as in Phase 
1 above. 

Challenge: Once the adversary decides that Phase 1 is over, it outputs a new 
ID-tuple on which it wishes to be challenged. The challenger picks a random 
M £ M. and sets C = Encryption(pararns, ID-tuple, M). It sends C as a chal- 
lenge to the adversary. 

Phase 2: The adversary issues more public-key queries and more extraction 
queries on identities other than this ID-tuple and its ancestors, and the challenger 
responds as in Phase 1. 
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Guess: The adversary outputs a guess M' 6 M. The adversary wins the game 
if M = M' . We define the adversary’s advantage in attacking the scheme to be 
Pr[M = M'\. 

7.2 Security Results 

The security of BasicHIDE and Dual-HIDE is based on the difficulty of the BDH 
problem, as stated in the following theorems (which are analogous to Theorem 
4.1 in 0): 

Theorem 1. Suppose there is an NHID-OWE adversary A that has advantage e 
against the BasicHIDE or Dual-HIDE scheme for some ID-tuple and that makes 
Qh 2 > 0 hash queries to the hash function H 2 and a finite number of private key 
extraction queries. If the hash functions H\,H 2 are random oracles, then there 
is an algorithm B that solves the BDH in groups generated by XQ with advantage 
at least (e — ^k)/qii 2 an d running time 0(time(A)). 

Theorem 2. Suppose there is an HID-OWE adversary A that makes at most 
Qh 2 > 0 hash queries to the hash function H 2 and at most qE > 0 private key 
extraction queries and has advantage e t of successfully targeting a BasicHIDE 
or Dual-HIDE node in Levelf If the hash functions H% . H 2 are random oracles, 
then there is an algorithm B that solves the BDH in groups generated by XQ with 
advantage at least — )QhI an d running time 0(time(A)). 

If t = 0(1) and Qe is polynomial in the security parameter, then {t/e(qE+t)) t 
is non-negligible in the security parameter, and we have a polynomial reduction 
from BasicPub to BasicHIDE (for adaptively-chosen-target adversaries). 

With Fujisaki-Okamoto padding, these schemes can be made chosen cipher- 
text secure if BDH is hard in the groups generated by IQ. The proof follows from 
Theorems [D and El analogously to the way that Theorem 4.4 of |E| follows from 
Lemma 4.3 of |B) - Further, the security of the HIDS scheme depends only on the 
difficulty of the Diffie-Hellman problem in the group Gi, and not on BDH. We 
will give security proofs in the full version of the paper. 

8 Extensions and Observations 

Improving Efficiency of Encryption: Levels 0 and 1 can be merged into a 
single (combined levels 0 and 1) root PKG. In that case, g = e(Qo,Pi) is in- 
cluded in the system parameters. This saves encrypters the task of computing 
the value of this pairing. However, decrypters must compute an extra pairing 
(as a result of being one level lower down the tree). 

Distributed PKGs: As in Section 6 of jEj, the secrets Sj and private keys can 
be distributed using techniques of threshold cryptography to protect the secrets 
and make the scheme robust against dishonest PKGs. 

Concrete Schemes: For our HIDE and HIDS schemes, one can use the same 
elliptic curves or abelian varieties as those in 0, 0, or |T3 . 
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9 Conclusion 

We gave hierarchical ID-based encryption (HIDE) schemes that are practical, to- 
tally collusion-resistant, and secure against chosen-ciphertext attacks. The mes- 
sage expansion factor and complexity of decryption grow only linearly with the 
number of levels in the hierarchy. We introduced a related hierarchical ID-based 
signature (HIDS) scheme that is especially effective when used in combination 
with HIDE and Dual-HIDE. This also appears to be the first paper related to 
ID-based cryptography that gives methods for circumventing key escrow. 
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Abstract. Designing cryptographic mechanisms and products is a chal- 
lenging task. This task will become increasingly hard as software tech- 
nology and systems evolve and as the new computational environment 
becomes more distributed, more diverse, and more global. In order to 
enable the inclusion of cryptographic components in the future infras- 
tructure and within future applications, it is argued that assurance of 
their (secure) operation has to be provided and their robustness has to 
be exhibited in real time. This assurance, which we call crypto-integrity 
will guarantee the correct functioning of the cryptographic components 
in an efficient fashion. This built-in integrity should have no impact on 
the system security and should have minimal impact on its function, 
performance and composability. 

We review the need for crypto-integrity in various known settings, ways 
to implement it based on known protocol techniques as well as potential 
future directions. The paper is written as a position paper and not as a 
survey of the vast relevant literature. 


1 Introduction 

Integrity assurance is a part of many modern cryptography constructions. In 
fact, cryptography itself is often employed to provide strong integrity such as 
“message integrity” (assured by hashing a message based on a secret key in a 
MAC operation). Other cryptographic operations have integrity associated with 
them, e.g. digital signing (initiated by Diffie-Hellman, Rivest Shamir and Adle- 
man, and Rabin) involves a verification procedure which assures the authenticity 
of the signature. 

The design of cryptographic protocols where many parties are involved in a 
joint activity allows dishonest adversaries to behave in arbitrary devious ways. 
Thus, the need to assure well behaved parties arises naturally. Early proto- 
cols like Rabin’s signature protocol and Blum’s coin flipping had assurance of 
behavior designed into them. Then, the development of the basic notion of zero- 
knowledge by Goldwasser, Micali and Rackoff was crucial to recognizing the 
central idea of systematic assurance of well behaved parties. The fact that NP 
languages have zero-knowledge proofs (and arguments) is fundamental and can 
be used to assure that actions taken in a cryptographic protocol are in accor- 
dance with the protocol specifications. This serves as a general plausibility result 
that integrity of parties in a protocol can be upheld and monitored. 

Y. Zheng (Ed.): ASIACRYPT 2002, LNCS 2501, pp. 567-15731 2002. 
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However, for every protocol solving a specific task, we need to design specific 
proofs and integrity mechanisms that are efficient and suitable to its setting. 
In fact, as cryptographic services are deployed, every system configuration and 
every specialized setting will need to provide efficient and specialized methods 
for exhibiting the correct behavior of components; we call these methods crypto- 
integrity. Next we mention some systems factors affecting the need for specialized 
crypto-integrity. 


1.1 System Setting and Requirements 

We will now review some practical requirements and will argue how they can be 
achieved/ strengthened by having crypto- integrity functions. 

As cryptographic primitives and protocols are being developed as products, 
their adoption into the computing and communication infrastructure will be 
based on their usefulness and effectiveness (typically measured in business by 
“Return on Investment”). This means that certain basic properties are required, 
some of which are related to generic desired properties (like user-friendliness), 
while others relate directly to the intrinsic properties of cryptographic design: 

— Generality and composability of components: the basic product should be 
useful in many settings as a general primitive. We should be able to employ 
it with many (current and future) applications and it should remain secure 
in these settings. 

— Adaptability (or scalable security): we should be able to embed the prod- 
uct in various settings (of different scales) and change its environment and 
even the threats to which it is susceptible, yet it should keep on being se- 
cure. (Many designs are too “setting specific” and are hard to adapt to new 
environments) . 

— Performance: this is an important factor that may fail the product when 
e.g. speed is a requirement or when it becomes too costly to implement fast 
or compact solutions. In some environments performance criteria are crucial 
(and this changes as technology changes). 

— Assurance: there should be assurance about the product workings. Besides 
the proof of security which should be done in the proper setting of the entire 
application (end-to-end arguments), and besides testing, it will be useful 
if the product will have on-line assurance of the way its components work 
(namely, what we called crypto-integrity). 

The above and similar requirements usually serve as a feedback to the crucial 
work on foundations of cryptography, where new notions are defined, designed 
and improved, and where the characteristic and inherent properties of the basic 
notions are investigated. 

These requirements are also very useful to practitioners. To have a sustainable 
business one needs to have certain quality in its products. Having crypto-integrity 
may ease re-usability of components and shorten the test cycle. Having a general 
component that is adaptable to various settings and can support current and 
emerging applications is, at times, an important prerequisite for profit. 
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The notion of crypto-integrity has implications to all the above requirements. 
It helps assure the proper behavior of components, which means that parties are 
committed to certain computations, something that leads to predictable per- 
formance (and time-out mechanisms can further detect delays that are system 
specific methods to cope with delays caused by misbehaving components). It 
helps in exhibiting (at the interface between components) what is done by indi- 
vidual components and sub-systems, and thus helps in composing systems and 
the adaptability of components. It supports and reinforces formal assurance pro- 
cedures such as certification of products by government bodies. 

Crypto-integrity is an assurance mechanism which is achieved by enhancing 
the function of the component itself (in on-line operation). On-line integrity has 
many implications in special contexts. Let us mention one current implication. 
The context is a trusted computing environment run under a tamper resistant 
component of the architecture. This setting may have a lot of positive impli- 
cations. It has however, many bad implications, if it is not run according to a 
“publicly agreed upon” specification. With crypto-integrity we may be able, at 
least partially, to assure compliance of a well specified trusted environment with 
its global specification (especially if we limit it to very specialized functions, 
since in general we cannot really tell what a tamper resistance cryptographic 
environment is doing as was shown by the notion of Kleptography [Young and 
Yung, Crypto 96, Eurocrypt 97, Crypto 97]). 

In the rest of this paper I will mention examples of mechanisms (protocol 
design and settings) where crypto-integrity plays an important role. 

2 Examples: the Usefulness of Crypto-integrity 

2.1 Cryptographic Program Checking 

Blum introduced the useful and elegant notion of Program Result Checking. In 
this setting, given arbitrary input a and program P, a checker C for a function 
/ will catch, with high probability, if -P(ai) ^ /(a). The checker has only “black- 
box” access to the program and accomplishes its goal on-line. Cryptographic 
program checking (developed in [Frankel, Gemmel and Yung, STOC96]) allows 
the on-line checking of programs computing cryptographic functions in a working 
environment. 

In this model the checker worries about correctness (a concern that tradi- 
tional “program checking” takes care of), since due to the adversarial setting 
we require correctness with very high probability. In addition, the owner of a 
program will output P(a) provided it is authorized to output the result, but the 
checker (user) learns nothing more about P from this checking procedure, in the 
spirit of the zero-knowledge complexity approach to knowledge. Such checking 
methods are witness-based (they allow the output of a few values to be known 
as a witness) and achieve fast verification. In some sense the procedures can be 
viewed as extending the “deniable signature” proof method of Chaum. 

The basic application of this method is testing cryptographic servers. In the 
future, many servers will act on behalf of user populations and assurance of 
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non-spoofed service will be important. We now discuss several applications for 
cryptographic program checking. 

Consider the encrypting-machine requester game where the encrypting-machine 
(server) is willing to encrypt authorized requests. If the checking process requires 
the encryption of other (unauthorized) plaintext so that the output of the request 
can be checked, then the checker can exploit this service to encrypt unauthorized 
texts as well. Cryptographic program checking can be used to prevent such an 
exposure. 

Another similar application is the international key escrow game. This is 
related to specifications of key recovery methods between organizations and en- 
tities, an issue that is not yet well understood (on a technical level), but is similar 
to the concept of escrow encryption systems. 

In this situation country A has a key escrow system and will allow country 
B to obtain decryption of messages of A’s citizens under some predefined treaty 
and under some conditions. A does not want to provide B with the actual keys 
of its citizens (only the decrypted messages should be disclosed) while country B 
does not trust that A will reply with the correct cleartext values. Cryptographic 
program checking, in turn, allows B to verify the correctness of the outputs, 
while A knows that it is not being abused (by revealing messages not covered 
by the treaty or conditions). Of course, the setting is applicable to many (less 
controversial) scenarios. The basic ideas of our methodology can be applied to 
a verifier hardware-device game , where a holder of a result computed by some 
hardware device needs to probe a verifying device. For example, it makes it pos- 
sible to make sure that a value computed in the past (a time stamp) is correct 
without the verification process leaking the computation itself (thus, recomput- 
ing the time stamp- which in effect causes an undesirable back-stamping). The 
methodology of cryptographic program checking applies to this situation as well. 


2.2 Threshold Cryptosystems 

One of the applications that motivated this research on cryptographic program 
checking is in the development of verification algorithms for threshold cryptog- 
raphy (where a function sharing or capability sharing is taking place). This is 
a method to distribute control of a function by a dealer or distributedly. In the 
function sharing game a function / is distributed amongst n agents as programs 

Pi(-) , P n (r) such that a threshold (quorum) of, say, any t are able to compute 

f(a) from P tl (a), ... , Pi t (a) . There are several interesting applications for which 
function sharing is a very useful solution in practice (e.g., distributed decryp- 
tion, signature generation, public key certification generation, e-cash generation, 
etc.). 

Once the shares are available there is a polynomial-time combiner that col- 
lects the shares and combines them to the final result of the function. When 
agents misbehave this gives rise to the game between the agents and the com- 
biner, where the combiner has to be sure to pick correct shares into its compu- 
tation. If there is no efficient way to verify correctness of shares, the combiner 
may need to try all subsets of shares (but this will take exponential time). The 
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agent combiner game will assure the combiner which of the agents acted cor- 
rectly. The need for robust function sharing was also expressed in an application 
for replicating services in a network were some of the clients and servers have 
been corrupted by an adversary. Since there is a real systems’ need for the prim- 
itive, inefficient methods like non-interactive zero-knowledge techniques should 
be avoided. While many results have been achieved in this area, the applicability 
and usability of the results has yet to be realized. 

2.3 Proactive Security 

Another game, called the proactive junction sharing game , is an extension of the 
robust function sharing game. In this system the agents’ state is modified over 
time (by the agents themselves) so that an adversary may have access to all 
agents over the lifetime of the system but not to all (or not even to a quorum) 
at any particular point in time. The agents periodically modify their state so 
that information learned by a mobile adversary at two points in time is, for 
practical purposes, uncorrelated. In this game, the honest agents make sure that 
changing their state does not provide a means for the adversary to learn too 
much information nor to destroy the ability of honest agents to later compute 
the function. Hence each of the agents verifies that the information provided 
to it by other agents is correct before it changes states. This notion is called 
proactive security. 

The notion of proactive security was a result of dealing with a mobile ad- 
versary which corrupts different parts of the system in different times. It was 
motivated by new threats like network viruses. It was first developed for the 
area of general secure multi-party computation (initiated by Yao and Goldreich, 
Micali and Wigderson) in [Ostrovsky and Yung, PODC 91]. It was somewhat 
motivated by an early notion of allowing users in this setting of general multi- 
party computation to leave and re-join the computation smoothly. (This last 
idea needed the method of “share-of-shares” which is a robustness mechanism 
was first employed in a work [Galil, Haber and Yung, Crypto 87]). It was also 
further motivated by Dijkstra’s notion of self-stabilizing protocols which allows 
transient faults, whereas proactive protocols allows persisting faults (rather than 
transient) by introducing redundancy (requiring honest majority). 

Many procedures have been “proactivized” and in particular so have many 
distributed cryptosystems. The need for integrity when we have the system dy- 
namically changing and when honest users re-join, is crucial. 

Proactive methods allow us to change the quorum of users that hold some 
computational capability distributedly within a system. This is a new function 
that is made possible by the built-in integrity mechanism which ensures the 
correctness of the shared capability, throughout. 

2.4 Voting Schemes 

Voting schemes have interesting requirements. They ask that the voter’s action 
is universally verifiable yet his ballot has to remain secret. Various methods 
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assuring the integrity of the system and limiting malicious voters, preventing 
them from disturbing the global voting process have been developed. Recently 
(in [Kiayias and Yung, PKC 2002]) a small scale election with unique properties 
was given. It assures increased privacy (where in order to compromise the privacy 
of a ballot, all other voters have to collude against an individual) and combines 
it with a form of fault tolerance and universal verifiability in a way that there are 
no disputes in the on-line process (dispute freeness) due to the built-in crypto- 
integrity. 

2.5 Assurance with respect to Off-line Third Parties 

In escrow and key recovery systems (especially in auto recoverable cryptosys- 
tems, see [Young and Yung, Eurocrypt’98, PKC’00]), as well as in traceable 
e-cash and in various other settings, we have a user assuring that some action by 
an off-line third party is in fact doable, once this third party becomes active. The 
availability of public keys and the proof techniques which use them, enable such 
proof of actions by a third party where there is no need for on-line parties to 
participate, we expect such methods to find further applications in many areas. 


2.6 Minimizing Key-Exposure 

Recently, cryptosystems have been designed where key exposure is coped with 
either by “forwarding” (self updating) the key, making past keys inaccessible, 
or by sharing the key with a server (key-insulated cryptosystems developed in 
[Dodis, Katz, Xu and Yung, Eurocrypt’02]). We note that when sharing and 
updating keys with other elements, crypto-integrity is a must. 


2.7 Multi User Setting 

The case where multi users are present in a system (rather than two parties: a 
sender and a receiver) may change the setting and the possibility of procedures 
that can be employed. For example a “distributed proof” can be conducted 
assuring a group of users with honest majority of a fact while not revealing 
the underlying secret. Many areas of multi-user oriented cryptography are still 
open, and crypto-integrity is likely to play an increasingly important role in this 
setting. 

2.8 Environmental Constraints and Protocols 

Due to technological changes, the environment where protocols are being exe- 
cuted is changing. Protocol notions based on the Internet concurrency, and no- 
tions based on limited execution environments (mobile devices and smart cards) 
are being considered nowadays. These changes will affect the crypto-integrity 
requirements among other changes that they will dictate. 

Environmental constraints also motivate research on modularity and compo- 
sition of crypto protocols. The methods that assure integrity are paramount to 
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allowing properties like composition in specialized settings. For example, the is- 
sue of self-testing protocols while retaining the protocol’s security is in its infancy 
(see [Franklin, Garay and Yung, DISC’99]). 

3 Conclusions 

We reviewed areas where crypto-integrity methods have been developed and 
used extensively. We showed how the notion allows for integrity assurance while 
retaining the secrecy of cryptographic techniques. 

We claim that on-line assurance is a crucial security component: If we run 
tests of the systems in a working environment where we have to give up security 
to validate the system’s correctness, we are at risk that someone in control of 
moving from test mode to operational mode can use this capability to compro- 
mise the system. 

Also, on-line assurance is very important in working systems which evolve 
and change. It makes sure the core cryptographic component is acting correctly. 
Maintaining the integrity as the system changes is an interesting open area of 
research. 

On-line crypto-integrity adds “function” by allowing parties to be off-line but 
nevertheless assuring that when they join they will be able to perform their task. 
With cryptography being part of many applications, such tools are expected to 
be crucial. 

The research questions regarding on-line integrity in cryptographic settings 
are many: from improving the efficiency and other properties of existing methods, 
through questions related to new techniques and new primitives where integrity 
is crucial, to possibly new areas where crypto-integrity functionality is a must 
such as “safe cryptographic testing and development,” “general notions of com- 
posability and modularity,” “theory of reusable cryptographic methods,” and 
“theory of update of system based on change of threats.” We believe that given 
that “cryptosystems deployment as part of more general computing systems” 
is still (in spite of deployment successes) an area in its infancy, the area of as- 
suring integrity in cryptographic settings is open to further investigation and to 
innovations. 
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Abstract. Vulnerability evaluation of various biometric systems should 
be conducted and its results should be available to potential users. 


Summary 

Biometrics is utilized in individual authentication techniques which identify in- 
dividuals by checking physiological or behavioral characteristics, such as finger- 
prints, faces, voice, iris patterns, signatures, etc. Biometric systems are said to be 
convenient because they need neither something to memorize such as passwords 
nor something to carry about such as ID tokens p. In spite of that, a user of 
biometric systems would get into a dangerous situation when her/his biometric 
data are abused. For example, you cannot change your fingerprints while you 
can change your passwords or ID tokens when they are compromised. Therefore, 
biometric systems must protect the information for biometrics against abuse, 
and they must also prevent fake biometrics. 

We focus on fingerprint systems since they have become widespread as au- 
thentication terminals for PCs or mobile terminals. A fingerprint system has 
an enrollment process and a verification process. In an enrollment process, the 
system captures finger data from an enrollee with sensing devices, extracts fea- 
tures from the finger data, and then record them as a template with a personal 
information, e.g. a personal identification number (PIN), of the enrollee into a 
database. We axe using the word finger data to mean not only features of the 
fingerprint but also other features of the finger, such as live and well features. 
In a verification (or identification) process, the system captures finger data from 
a finger with sensing devices, extracts features, verifies (or identifies) the fea- 
tures by comparing with templates in the database, and then outputs a result as 
Acceptance only when the features correspond to one of the templates. Most of 
fingerprint systems utilize optical or capacitive sensors for capturing fingerprints. 
These sensors detect difference between ridges and valleys of fingerprints. Opti- 
cal sensors detect difference in reflection. Capacitive sensors, by contrast, detect 
difference in capacitance. Some systems utilize other types of sensors, such as 
thermal sensors, ultrasonic sensors. In this study we examine fingerprint systems 
which utilize optical or capacitive sensors. 
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Potential threats caused by something like real fingers, which are called arti- 
ficial fingers, should be crucial for authentication based on fingerprint systems. 
However, vulnerability evaluation against attacks using such artificial fingers has 
been rarely disclosed. 

As researchers who are pursuing secure systems, we would like to discuss 
attacks using artificial fingers and conduct experimental research to clarify the 
reality. We report that 

1. gummy fingers, namely artificial fingers that are easily made of cheap and 
readily available gelatin, were accepted by extremely high rates by 11 par- 
ticular fingerprint devices with optical or capacitive sensors Q, and 

2. conductive silicone fingers, namely artificial fingers that are made of silicone 
rubber filled with electrically conductive carbon black of 12%-16%, were 
accepted by extremely high rates by the same set of fingerprint devices except 
for two devices using optical sensors with seemingly color-checking ability 

m 

We have used the molds, which we made by pressing our live fingers against 
them, or by processing fingerprint images from prints on glass surfaces, or by 
processing impression of inked fingers. We describe how to make the molds, and 
then show that the gummy fingers and conductive silicone fingers which are 
made with these molds, can fool the fingerprint devices. 

The fact that gummy fingers which are easy to make with cheep and eas- 
ily obtainable tools and materials can be accepted suggests review not only of 
fingerprint systems but also of biometric systems. This experimental study on 
the artificial fingers will have considerable impact on security assessment of bio- 
metric systems. Manufacturers and vendors of biometric systems should carefully 
examine security of their system against artificial clones. Also, they should make 
public results of their examination, which lead users of their system to a deep 
understanding of the security. We would like to discuss the effect of such a vul- 
nerability analysis and how to disclose the information based on our experience 
and the responses we received 0. 
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